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Abstract 

Limits on Efficient Computation in the Physical World 

by 

Scott Joel Aaronson 
Doctor of Philosophy in Computer Science 

University of California, Berkeley 
Professor Umesh Vazirani, Chair 

More than a speculative technology, quantum computing seems to challenge our most basic 
intuitions about how the physical world should behave. In this thesis I show that, while 
some intuitions from classical computer science must be jettisoned in the light of modern 
physics, many others emerge nearly unscathed; and I use powerful tools from computational 
complexity theory to help determine which are which. 

In the first part of the thesis, I attack the common belief that quantum computing 
resembles classical exponential parallelism, by showing that quantum computers would face 
serious limitations on a wider range of problems than was previously known. In partic- 
ular, any quantum algorithm that solves the collision problem — that of deciding whether 
a sequence of n integers is one-to-one or two-to-one — must query the sequence Q (n 1 / 5 ) 
times. This resolves a question that was open for years; previously no lower bound better 
than constant was known. A corollary is that there is no "black-box" quantum algorithm 
to break cryptographic hash functions or solve the Graph Isomorphism problem in poly- 
nomial time. I also show that relative to an oracle, quantum computers could not solve 
NP-complete problems in polynomial time, even with the help of nonuniform "quantum 
advice states"; and that any quantum algorithm needs f2 (2 ra / 4 /n) queries to find a local 
minimum of a black-box function on the n-dimensional hypercube. Surprisingly, the latter 
result also leads to new classical lower bounds for the local search problem. Finally, I give 
new lower bounds on quantum one-way communication complexity, and on the quantum 
query complexity of total Boolean functions and recursive Fourier sampling. 

The second part of the thesis studies the relationship of the quantum computing 
model to physical reality. I first examine the arguments of Leonid Levin, Stephen Wol- 
fram, and others who believe quantum computing to be fundamentally impossible. I find 
their arguments unconvincing without a "Sure/Shor separator" — a criterion that separates 
the already-verified quantum states from those that appear in Shor's factoring algorithm. 
I argue that such a separator should be based on a complexity classification of quantum 
states, and go on to create such a classification. Next I ask what happens to the quantum 
computing model if we take into account that the speed of light is finite — and in particu- 
lar, whether Grover's algorithm still yields a quadratic speedup for searching a database. 
Refuting a claim by Benioff, I show that the surprising answer is yes. Finally, I analyze 
hypothetical models of computation that go even beyond quantum computing. I show that 
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many such models would be as powerful as the complexity class PP, and use this fact to 
give a simple, quantum computing based proof that PP is closed under intersection. On 
the other hand, I also present one model — wherein we could sample the entire history of 
a hidden variable — that appears to be more powerful than standard quantum computing, 
but only slightly so. 



Professor Umesh Vazirani 
Dissertation Committee Chair 
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Chapter 1 

"Aren't You Worried That 
Quantum Computing Won't Pan 
Out?" 



For a century now, physicists have been telling us strange things: about twins 
who age at different rates, particles that look different when rotated 360°, a force that is 
transmitted by gravitons but is also the curvature of spacetime, a negative-energy electron 
sea that pervades empty space, and strangest of all, "probability waves" that produce fringes 
on a screen when you don't look and don't when you do. Yet ever since I learned to program, 
I suspected that such things were all "implementation details" in the source code of Nature, 
their study only marginally relevant to forming an accurate picture of reality. Physicists, 
I thought, would eventually realize that the state of the universe can be represented by 
a finite string of bits. These bits would be the "pixels" of space, creating the illusion of 
continuity on a large scale much as a computer screen does. As time passed, the bits 
would be updated according to simple rules. The specific form of these rules was of no 
great consequence — since according to the Extended Church- Turing Thesis, any sufficiently 
complicated rules could simulate any other rules with reasonable efficiency. 1 So apart from 
practical considerations, why worry about Maxwell's equations, or Lorentz invariance, or 
even mass and energy, if the most fundamental aspects of our universe already occur in 
Conway's Game of Life (see Figure n~Tj) ? 

Then I heard about Shor's algorithm |219j for factoring integers in polynomial time 
on a quantum computer. Then as now, many people saw quantum computing as at best a 
speculative diversion from the "real work" of computer science. Why devote one's research 
career to a type of computer that might never see application within one's lifetime, that 
faces daunting practical obstacles such as decoherence, and whose most publicized success 
to date has been the confirmation that, with high probability, 15 = 3 x 5 234 ? Ironically, 
I might have agreed with this view, had I not taken the Extended Church- Turing Thesis 
so seriously as a claim about reality. For Shor's algorithm forces us to accept that, under 

1 Here "extended" refers to the efficiency requirement, which was not mentioned in the original Church- 
Turing Thesis. Also, 1 am simply using the standard terminology, sidestepping the issue of whether Church 
and Turing themselves intended to make a claim about physical reality. 




Figure 1.1: In Conway's Game of Life, each cell of a 2D square grid becomes 'dead' or 
'alive' based on how many of its eight neighbors were alive in the previous time step. A 
simple rule applied iteratively leads to complex, unpredictable behavior. In what ways is 
our physical world similar to Conway's, and in what ways is it different? 



widely-believed assumptions, that Thesis conflicts with the experimentally-tested rules of 
quantum mechanics as we currently understand them. Either the Extended Church- Turing 
Thesis is false, or quantum mechanics must be modified, or the factoring problem is solvable 
in classical polynomial time. All three possibilities seem like wild, crackpot speculations — 
but at least one of them is true! 

The above conundrum is what underlies my interest in quantum computing, far 
more than any possible application. Part of the reason is that I am neither greedy, nefarious, 
nor number-theoretically curious enough ever to have hungered for the factors of a 600-digit 
integer. I do think that quantum computers would have benign uses, the most important 
one being the simulation of quantum physics and chemistry. 2 Also, as transistors approach 
the atomic scale, ideas from quantum computing are likely to become pertinent even for 
classical computer design. But none of this quickens my pulse. 

For me, quantum computing matters because it combines two of the great myster- 
ies bequeathed to us by the twentieth century: the nature of quantum mechanics, and the 
ultimate limits of computation. It would be astonishing if such an elemental connection 
between these mysteries shed no new light on either of them. And indeed, there is already 
a growing list of examples [HI 1221 1151] — we will see several of them in this thesis — in which 
ideas from quantum computing have led to new results about classical computation. This 
should not be surprising: after all, many celebrated results in computer science involve 
only deterministic computation, yet it is hard to imagine how anyone could have proved 
them had computer scientists not long ago "taken randomness aboard." 3 Likewise, taking 
quantum mechanics aboard could lead to a new, more general perspective from which to 
revisit the central questions of computational complexity theory. 

The other direction, though, is the one that intrigues me even more. In my view, 

2 Followed closely by Recursive Fourier Sampling, parity in n/2 queries, and efficiently deciding whether 
a graph is a scorpion. 

3 A few examples are primality testing in P |17) . undirected connectivity in L |2()2j . and inapproximability 
of 3-SAT unless P = NP [224] , 
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quantum computing has brought us slightly closer to the elusive Beast that devours Bohmi- 
ans for breakfast, Copenhagenists for lunch, and a linear combination of many-worlders 
and consistent historians for dinner — the Beast that tramples popularizers, brushes off 
arXiv preprints like fleas, and snorts at the word "decoherence" — the Beast so fearsome 
that physicists since Bohr and Heisenberg have tried to argue it away, as if semantics could 
banish its unitary jaws and complex-valued tusks. But no, the Beast is there whenever you 
aren't paying attention, following all possible paths in superposition. Look, and suddenly 
the Beast is gone. But what does it even mean to look? If you're governed by the same 
physical laws as everything else, then why don't you evolve in superposition too, perhaps 
until someone else looks at you and thereby 'collapses' you? But then who collapses whom 
first? Or if you never collapse, then what determines what you-you, rather than the su- 
perposition of you's, experience? Such is the riddle of the Beast, 4 and it has filled many 
with terror and awe. 

The contribution of quantum computing, I think, has been to show that the real 
nature of the Beast lies in its exponentiality. It is not just two, three, or a thousand states 
held in ghostly superposition that quantum mechanics is talking about, but an astronomical 
multitude, and these states could in principle reveal their presence to us by factoring a five- 
thousand-digit number. Much more than even Schrodinger's cat or the Bell inequalities, 
this particular discovery ups the ante — forcing us either to swallow the full quantum brew, 
or to stop saying that we believe in it. Of course, this is part of the reason why Richard 
Feynman jlU8j and David Deutsch ||U] introduced quantum computing in the first place, 
and why Deutsch, in his defense of the many- worlds interpretation, issues a famous challenge 
to skeptics |921 p. 217]: if parallel universes are not physically real, then explain how Shor's 
algorithm works. 

Unlike Deutsch, here I will not use quantum computing to defend the many-worlds 
interpretation, or any of its competitors for that matter. Roughly speaking, I agree with 
every interpretation of quantum mechanics to the extent that it acknowledges the Beast's 
existence, and disagree to the extent that it claims to have caged the Beast. I would adopt 
the same attitude in computer science, if instead of freely admitting (for example) that 
P versus NP is an open problem, researchers had split into "equalist," "unequalist," and 
"undecidabilist" schools of interpretation, with others arguing that the whole problem is 
meaningless and should therefore be abandoned. 

Instead, in this thesis I will show how adopting a computer science perspective 
can lead us to ask better questions — nontrivial but answerable questions, which put old 
mysteries in a new light even when they fall short of solving them. Let me give an 
example. One of the most contentious questions about quantum mechanics is whether the 
individual components of a wavefunction should be thought of as "really there" or as "mere 
potentialities." When we don our computer scientist goggles, this question morphs into a 
different one: what resources are needed to make a particular component of the wavefunction 
manifest? Arguably the two questions are related, since something "real" ought to take less 
work to manifest than something "potential." For example, this thesis gradually became 

4 Philosophers call the riddle of the Beast the "measurement problem," which sounds less like something 
that should cause insomnia and delirious raving in all who have understood it. Basically, the problem is to 
reconcile a picture of the world in which "everything happens simultaneously" with the fact that you (or at 
least I!) have a sequence of definite experiences. 
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more real as less of it remained to be written. 

Concretely, suppose our wavefunction has 2 n components, all with equal ampli- 
tude. Suppose also that we have a procedure to recognize a particular component x (i.e., 
a function / such that / (x) = 1 and f (y) = for all y ^ x). Then how often must we 
apply this procedure before we make x manifest; that is, observable with probability close 
to 1? Bennett, Bernstein, Brassard, and Vazirani showed that ~ 2 n / 2 applications are 
necessary, even if / can be applied to all 2 n components in superposition. Later Grover 
139 showed that ~ 2 n / 2 applications are also sufficient. So if we imagine a spectrum 
with "really there" (1 application) on one end, and "mere potentiality" (~ 2 n applications) 
on the other, then we have landed somewhere in between: closer to the "real" end on an 
absolute scale, but closer to the "potential" end on the polynomial versus exponential scale 
that is more natural for computer science. 

Of course, we should be wary of drawing grand conclusions from a single data 
point. So in this thesis, I will imagine a hypothetical resident of Conway's Game of Life, 
who arrives in our physical universe on a computational complexity safari — wanting to 
know exactly which intuitions to keep and which to discard regarding the limits of efficient 
computation. Many popular science writers would tell our visitor to throw all classical 
intuitions out the window, while quantum computing skeptics would urge retaining them 
all. These positions are actually two sides of the same coin, since the belief that a quantum 
computer would necessitate the first is what generally leads to the second. I will show, 
however, that neither position is justified. Based on what we know today, there really is a 
Beast, but it usually conceals its exponential underbelly. 

I'll provide only one example from the thesis here; the rest are summarized in 
Chapter |2J Suppose we are given a procedure that computes a two-to-one function /, 
and want to find distinct inputs x and y such that / (x) = f (y). In this case, by simply 
preparing a uniform superposition over all inputs to /, applying the procedure, and then 
measuring its result, we can produce a state of the form (\x) + \y)) /V%, for some x and y 
such that / (x) = f (y). The only problem is that if we measure this state, then we see 
either x or y, but not both. The task, in other words, is no longer to find a needle in 
a haystack, but just to find two needles in an otherwise empty barn! Nevertheless, the 
collision lower bound in Chapter El will show that, if there are 2 n inputs to /, then any 
quantum algorithm for this problem must apply the procedure for / at least ~ 2 ra / 5 times. 
Omitting technical details, this lower bound can be interpreted in at least seven ways: 

(1) Quantum computers need exponential time even to compute certain global properties 
of a function, not just local properties such as whether there is an x with f (x) = 1. 

(2) Simon's algorithm |22U| . and the period-finding core of Shor's algorithm 219 , cannot 
be generalized to functions with no periodicity or other special structure. 

(3) Any "brute-force" quantum algorithm needs exponential time, not just for NP-complete 
problems, but for many structured problems such as Graph Isomorphism, approxi- 
mating the shortest vector in a lattice, and finding collisions in cryptographic hash 
functions. 
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(4) It is unlikely that all problems having "statistical zero-knowledge proofs" can be 
efficiently solved on a quantum computer. 

(5) Within the setting of a collision algorithm, the components \x) and \y) in the state 
(\x) + |y)) /\/2 should be thought of as more "potentially" than "actually" there, it 
being impossible to extract information about both of them in a reasonable amount 
of time. 

(6) The ability to map \x) to \f (x)), "uncomputing" x in the process, can be exponentially 
more powerful than the ability to map \x) to \x) \f (x)). 

(7) In hidden-variable interpretations of quantum mechanics, the ability to sample the en- 
tire history of a hidden variable would yield even more power than standard quantum 
computing. 

Interpretations (5), (6), and (7) are examples of what I mean by putting old 
mysteries in a new light. We are not brought face-to- face with the Beast, but at least we 
have fresh footprints and droppings. 

Well then. Am I worried that quantum computing won't pan out? My usual 
answer is that I'd be thrilled to know it will never pan out, since this would entail the 
discovery of a lifetime, that quantum mechanics is false. But this is not what the questioner 
has in mind. What if quantum mechanics holds up, but building a useful quantum computer 
turns out to be so difficult and expensive that the world ends before anyone succeeds? The 
questioner is usually a classical theoretical computer scientist, someone who is not known to 
worry excessively that the world will end before log log n exceeds 10. Still, it would be nice 
to see nontrivial quantum computers in my lifetime, and while I'm cautiously optimistic, 
I'll admit to being slightly worried that I won't. But when faced with the evidence that 
one was born into a universe profoundly unlike Conway's — indeed, that one is living one's 
life on the back of a mysterious, exponential Beast comprising everything that ever could 
have happened — what is one to do? "Move right along. . . nothing to see here. . . " 
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Chapter 2 

Overview 



"Let a computer smear — with the right kind of quantum randomness — and 
you create, in effect, a 'parallel' machine with an astronomical number of pro- 
cessors . . . All you have to do is be sure that when you collapse the system, 
you choose the version that happened to find the needle in the mathematical 
haystack." 

— From Quarantine |103j . a 1992 science-fiction novel by Greg Egan 

Many of the deepest discoveries of science are limitations: for example, no su- 
perluminal signalling, no perpetual-motion machines, and no complete axiomatization for 
arithmetic. This thesis is broadly concerned with limitations on what can efficiently be 
computed in the physical world. The word "quantum" is absent from the title, in order 
to emphasize that the focus on quantum computing is not an arbitrary choice, but rather 
an inevitable result of taking our current physical theories seriously. The technical con- 
tributions of the thesis are divided into two parts, according to whether they accept the 
quantum computing model as given and study its fundamental limitations; or question, 
defend, or go beyond that model in some way. Before launching into a detailed overview 
of the contributions, let me make some preliminary remarks. 

Since the early twentieth century, two communities — physicists 1 and computer 
scientists — have been asking some of the deepest questions ever asked in almost total in- 
tellectual isolation from each other. The great joy of quantum computing research is that 
it brings these communities together. The trouble was initially that, although each com- 
munity would nod politely during the other's talks, eventually it would come out that the 
physicists thought NP stood for "Non Polynomial," and the computer scientists had no 
idea what a Hamiltonian was. Thankfully, the situation has improved a lot — but my hope 
is that it improves further still, to the point where computer scientists have internalized 
the problems faced by physics and vice versa. For this reason, I have worked hard to 
make the thesis as accessible as possible to both communities. Thus, Chapter provides 
a "complexity theory cheat sheet" that defines NP, P/poly, AM, and other computational 
complexity classes that appear in the thesis; and that explains oracles and other important 

x As in Saul Steinberg's famous New Yorker world map, in which 9 th Avenue and the Hudson River take 
up more space than Japan and China, from my perspective chemists, engineers, and even mathematicians 
who know what a gauge field is are all "physicists." 
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concepts. Then Chapter 2] presents the quantum model of computation with no reference 
to the underlying physics, before moving on to fancier notions such as density matrices, 
trace distance, and separability. Neither chapter is a rigorous introduction to its subject; 
for that there are fine textbooks — such as Papadimitriou's Computational Complexity |188j 
and Nielsen and Chuang's Quantum Computation and Quantum Information 182 — as well 
as course lecture notes available on the web. Depending on your background, you might 
want to skip to Chapters El or 0] before continuing any further, or you might want to skip 
past these chapters entirely. 

Even the most irredeemably classical reader should take heart: of the 103 proofs 
in the thesis, 66 do not contain a single ket symbol. 2 Many of the proofs can be understood 
by simply accepting certain facts about quantum computing on faith, such as Ambainis's 3 
adversary theorem [27j or Beals et al.'s polynomial lemma [13]. On the other hand, one does 
run the risk that after one understands the proofs, ket symbols will seem less frightening 
than before. 

The results in the thesis have all previously appeared in published papers or 
preprints El IS El 13 El El ED3 CCD IS] , with the exception of the quantum computing 
based proof that PP is closed under intersection in Chapter 1151 I thank Andris Ambainis 
for allowing me to include our joint results from |13j on quantum search of spatial regions. 
Results of mine that do not appear in the thesis include those on Boolean function query 
properties 3 , stabilizer circuits ^3] (joint work with Daniel Gottesman), and agreement 
complexity UJ. 

In writing the thesis, one of the toughest choices I faced was whether to refer to 
myself as T or 'we.' Sometimes a personal voice seemed more appropriate, and sometimes 
the Voice of Scientific Truth, but I wanted to be consistent. Readers can decide whether I 
chose humbly or arrogantly. 

2.1 Limitations of Quantum Computers 

Part [I] studies the fundamental limitations of quantum computers within the usual model 
for them. With the exception of Chapter ^3 ° n quantum advice, the contributions of Part 
[l]all deal with black-box or query complexity, meaning that one counts only the number of 
queries to an "oracle," not the number of computational steps. Of course, the queries can 
be made in quantum superposition. In Chapter I explain the quantum black-box model, 
then offer a detailed justification for its relevance to understanding the limits of quantum 
computers. Some computer scientists say that black-box results should not be taken too 
seriously; but I argue that, within quantum computing, they are not taken seriously enough. 

What follows is a (relatively) nontechnical overview of Chapters to 1101 which 
contain the results of Part [H Afterwards, Chapter ^2 summarizes the conceptual lessons 
that I believe can be drawn from those results. 

2 To be honest, a few of those do contain density matrices — or the theorem contains ket symbols, but not 
the proof. 

3 Style manuals disagree about whether Ambainis' or Ambainis's is preferable, but one referee asked me to 
follow the latter rule with the following deadpan remark: "Exceptions to the rule generally involve religiously 
significant individuals, e.g., 'Jesus' lower-bound method.' " 
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2.1.1 The Collision Problem 

Chapter |S] presents my lower bound on the quantum query complexity of the collision 
problem. Given a function X from {1, . . . , n} to {1, . . . , n} (where n is even), the collision 
problem is to decide whether X is one-to-one or two-to-one, promised that one of these is 
the case. Here the only way to learn about X is to call a procedure that computes X (i) 
given i. Clearly, any deterministic classical algorithm needs to call the procedure n/2 + 1 
times to solve the problem. On the other hand, a randomized algorithm can exploit the 
"birthday paradox" : only 23 people have to enter a room before there's a 50% chance that 
two of them share the same birthday, since what matters is the number of pairs of people. 
Similarly, if X is two-to-one, and an algorithm queries X at \Jn uniform random locations, 
then with constant probability it will find two locations i ^ j such that X (i) = X (j), 
thereby establishing that X is two-to-one. This bound is easily seen to be tight, meaning 
that the bounded-error randomized query complexity of the collision problem is G (\/n). 

What about the quantum complexity? In 1997, Brassard, H0yer, and Tapp p5] 
gave a quantum algorithm that uses only O (n 1 / 3 ) queries. The algorithm is simple to 
describe: in the first phase, query X classically at re 1 / 3 randomly chosen locations. In the 
second phase, choose ra 2//3 random locations, and run Grover's algorithm on those locations, 
considering each location i as "marked" if X (i) = X (j) for some j that was queried in the 
first phase. Notice that both phases use order n 1//3 = V ra 2 / 3 queries, and that the total 
number of comparisons is ra 2 / 3 /?. 1 / 3 = n. So, like its randomized counterpart, the quantum 
algorithm finds a collision with constant probability if X is two-to-one. 

What I show in Chapter El is that any quantum algorithm for the collision problem 
needs £1 (n 1//5 ) queries. Previously, no lower bound better than the trivial O (1) was known. 
I also show a lower bound of Q (n 1 / 7 ) for the following set comparison problem: given oracle 
access to injective functions X : {1, . . . , n} — ► {1, . . . , 2n} and Y : {1, . . . , n} — ► {1, . . . , 2ra}, 
decide whether 

{X(l),...,X(n),Y(l),...,l»} 

has at least l.ln elements or exactly n elements, promised that one of these is the case. The 
set comparison problem is similar to the collision problem, except that it lacks permutation 
symmetry, making it harder to prove a lower bound. My results for these problems have 
been improved, simplified, and generalized by Shi |218j . Kutin |161j . Ambainis ^27 a , and 
Midrijanis |176j . 

The implications of these results were already discussed in Chapter ^ for ex- 
ample, they demonstrate that a "brute-force" approach will never yield efficient quantum 
algorithms for the Graph Isomorphism, Approximate Shortest Vector, or Nonabelian Hid- 
den Subgroup problems; suggest that there could be cryptographic hash functions secure 
against quantum attack; and imply that there exists an oracle relative to which SZK <f_ BQP, 
where SZK is the class of problems having statistical zero-knowledge proof protocols, and 
BQP is quantum polynomial time. 

Both the original lower bounds and the subsequent improvements are based on 
the polynomial method, which was introduced by Nisan and Szegedy 1184) , and first used to 
prove quantum lower bounds by Beals, Buhrman, Cleve, Mosca, and de Wolf |45j . In that 
method, given a quantum algorithm that makes T queries to an oracle X, we first represent 
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the algorithm's acceptance probability by a multilinear polynomial p (X) of degree at most 
2T. We then use results from a well-developed area of mathematics called approximation 
theory to show a lower bound on the degree of p. This in turn implies a lower bound on T. 

In order to apply the polynomial method to the collision problem, first I extend the 
collision problem's domain from one-to-one and two-to-one functions to g-to-one functions 
for larger values of g. Next I replace the multivariate polynomial p (X) by a related 
univariate polynomial q (g) whose degree is easier to lower-bound. The latter step is the 
real "magic" of the proof; I still have no good intuitive explanation for why it works. 

The polynomial method is one of two principal methods that we have for proving 
lower bounds on quantum query complexity. The other is Ambainis's quantum adversary 
method j2jj, which can be seen as a far-reaching generalization of the "hybrid argument" 
that Bennett, Bernstein, Brassard, and Vazirani introduced in 1994 to show that a 
quantum computer needs f2 (y/n) queries to search an unordered database of size n for a 
marked item. In the adversary method, we consider a bipartite quantum state, in which 
one part consists of a superposition over possible inputs, and the other part consists of 
a quantum algorithm's work space. We then upper-bound how much the entanglement 
between the two parts can increase as the result of a single query. This in turn implies a 
lower bound on the number of queries, since the two parts must be highly entangled by the 
end. The adversary method is more intrinsically "quantum" than the polynomial method; 
and as Ambainis [221 showed, it is also applicable to a wider range of problems, including 
those (such as game-tree search) that lack permutation symmetry. Ambainis even gave 
problems for which the adversary method provably yields a better lower bound than the 
polynomial method [5Sj. It is ironic, then, that Ambainis's original goal in developing the 
adversary method was to prove a lower bound for the collision problem; and in this one 
instance, the polynomial method succeeded while the adversary method failed. 

2.1.2 Local Search 

In Chapters [71 IHJ and|§l however, the adversary method gets its revenge. Chapter [7| deals 
with the local search problem: given an undirected graph G = (V, E) and a black-box 
function / : V — > Z, find a local minimum of / — that is, a vertex v such that f (v) < f (w) 
for all neighbors w of v. The graph G is known in advance, so the complexity measure is just 
the number of queries to /. This problem is central for understanding the performance of 
the quantum adiabatic algorithm, as well as classical algorithms such as simulated annealing. 
If G is the Boolean hypercube {0, l} n , then previously Llewellyn, Tovey, and Trick 169j had 
shown that any deterministic algorithm needs O (2 n /y / n) queries to find a local minimum; 
and Aldous |24| had shown that any randomized algorithm needs 2 n / 2- °( n ) queries. What 
I show is that any quantum algorithm needs O (2 n ' 4 /n) queries. This is the first nontrivial 
quantum lower bound for any local search problem; and it implies that the complexity class 
PLS (or "Polynomial Local Search"), defined by Johnson, Papadimitriou, and Yannakakis 
149 , is not in quantum polynomial time relative to an oracle. 

What will be more surprising to classical computer scientists is that my proof 
technique, based on the quantum adversary method, also yields new classical lower bounds 
for local search. In particular, I prove a classical analogue of Ambainis's quantum adversary 
theorem, and show that it implies randomized lower bounds up to quadratically better 
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than the corresponding quantum lower bounds. I then apply my theorem to show that 
any randomized algorithm needs f2 (2 n / 2 /re 2 ) queries to find a local minimum of a function 
/ : {0, l} n — > Z. Not only does this improve on Aldous's 2 n / 2_ °( n ) lower bound, bringing us 
closer to the known upper bound of O (2 n / 2 ^/n); but it does so in a simpler way that does 
not depend on random walk analysis. In addition, I show the first randomized or quantum 
lower bounds for finding a local minimum on a cube of constant dimension 3 or greater. 
Along with recent work by Bar-Yossef, Jayram, and Kerenidis and by Aharonov and 
Regev [22] , these results provide one of the earliest examples of how quantum ideas can help 
to resolve classical open problems. As I will discuss in Chapter|3 my results on local search 
have subsequently been improved by Santha and Szegedy |211| and by Ambainis |25j . 

2.1.3 Quantum Certificate Complexity 

Chapters El and IH1 continue to explore the power of Ambainis's lower bound method and the 
limitations of quantum computers. Chapter [S] is inspired by the following theorem of Beals 
et al. 03] : if / : {0, l} n -> {0, 1} is a total Boolean function, then D (/) = O (q 2 (/) 6 ) , 

where D (/) is the deterministic classical query complexity of /, and Q 2 (/) is the bounded- 
error quantum query complexity. 4 This theorem is noteworthy for two reasons: first, 
because it gives a case where quantum computers provide only a polynomial speedup, in 
contrast to the exponential speedup of Shor's algorithm; and second, because the exponent 
of 6 seems so arbitrary. The largest separation we know of is quadratic, and is achieved 
by the OR function on n bits: D (OR) = n, but Q 2 (OR) = O (y/n) because of Grover's 
search algorithm. It is a longstanding open question whether this separation is optimal. 
In Chapter [H] I make the best progress so far toward showing that it is. In particular I 
prove that 

R 2 (/) = o(Q 2 Of Q (/)iog™) 

for all total Boolean functions / : {0, l} n — ► {0,1}. Here R2 (/) is the bounded-error 
randomized query complexity of /, and Q (/) is the zero-error quantum query complexity. 
To prove this result, I introduce two new query complexity measures of independent interest: 
the randomized certificate complexity RC (/) and the quantum certificate complexity QC (/). 
Using Ambainis's adversary method together with the minimax theorem, I relate these 
measures exactly to one another, showing that RC (/) = (QC (/ ) 2 ) . Then, using the 
polynomial method, I show that R 2 (/) = O (RC (/) Q (/) logn) for all total Boolean /, 
which implies the above result since QC (/) < Q 2 (/)• Chapter El contains several other 
results of interest to researchers studying query complexity, such as a superquadratic gap 
between QC (/) and the "ordinary" certificate complexity C (/). But the main message 
is the unexpected versatility of our quantum lower bound methods: we see the first use 
of the adversary method to prove something about all total functions, not just a specific 
function; the first use of both the adversary and the polynomial methods at different points 
in a proof; and the first combination of the adversary method with a linear programming 
duality argument. 

4 The subscript '2' means that the error is two-sided. 
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2.1.4 The Need to Uncompute 

Next, Chapter illustrates how "the need to uncompute" imposes a fundamental limit on 
efficient quantum computation. Like a classical algorithm, a quantum algorithm can solve 
a problem recursively by calling itself as a subroutine. When this is done, though, the 
quantum algorithm typically needs to call itself twice for each subproblem to be solved. 
The second call's purpose is to "uncompute" garbage left over by the first call, and thereby 
enable interference between different branches of the computation. In a seminal paper, 
Bennett |52| argued 5 that uncomputation increases an algorithm's running time by only a 
factor of 2. Yet in the recursive setting, the increase is by a factor of 2 d , where d is the 
depth of recursion. Is there any way to avoid this exponential blowup? 

To make the question more concrete, Chapter |H1 focuses on the recursive Fourier 
sampling problem of Bernstein and Vazirani |55| , This is a problem that involves d levels 
of recursion, and that takes a Boolean function g as a parameter. What Bernstein and 
Vazirani showed is that for some choices of g, any classical randomized algorithm needs 
n n(d) q Uer i es to solve the problem. By contrast, 2 d queries always suffice for a quantum 
algorithm. The question I ask is whether a quantum algorithm could get by with fewer 
than 2 n ^ queries, even while the classical complexity remains large. I show that the 
answer is no: for every g, either Ambainis's adversary method yields a 2^^ lower bound 
on the quantum query complexity, or else the classical and quantum query complexities are 
both 1. The lower bound proof introduces a new parameter of Boolean functions called 
the "nonparity coefficient," which might be of independent interest. 

2.1.5 Limitations of Quantum Advice 

Chapter 1101 broadens the scope of PartHJ to include the limitations of quantum computers 
equipped with "quantum advice states." Ordinarily, we assume that a quantum computer 
starts out in the standard "all-0" state, |0 • • • 0). But it is perfectly sensible to drop that 
assumption, and consider the effects of other initial states. Most of the work doing so has 
concentrated on whether universal quantum computing is still possible with highly mixed 
initial states (see [341 1214j for example). But an equally interesting question is whether 
there are states that could take exponential time to prepare, but that would carry us far 
beyond the complexity-theoretic confines of BQP were they given to us by a wizard. For 
even if quantum mechanics is universally valid, we do not really know whether such states 
exist in Nature! 

Let BQP/qpoly be the class of problems solvable in quantum polynomial time, with 
the help of a polynomial-size "quantum advice state" \ip n ) that depends only on the input 
length n but that can otherwise be arbitrary. Then the question is whether BQP/poly = 
BQP/qpoly, where BQP/poly is the class of the problems solvable in quantum polynomial 
time using a polynomial-size classical advice string. 6 As usual, we could try to prove an 
oracle separation. But why can't we show that quantum advice is more powerful than 

J Bennett's paper dealt with classical reversible computation, but this comment applies equally well to 
quantum computation. 

6 For clearly BQP/poly and BQP/qpoly both contain uncomputable problems not in BQP, such as whether 
the n th Turing machine halts. 
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classical advice, with no oracle? Also, could quantum advice be used (for example) to 
solve NP-complete problems in polynomial time? 

The results in Chapter 1101 place strong limitations on the power of quantum advice. 
First, I show that BQP/qpoly is contained in a classical complexity class called PP/poly. 
This means (roughly) that quantum advice can always be replaced by classical advice, 
provided we're willing to use exponentially more computation time. It also means that we 
could not prove BQP/poly 7^ BQP/qpoly without showing that PP does not have polynomial- 
size circuits, which is believed to be an extraordinarily hard problem. To prove this result, 
I imagine that the advice state \ip n ) is sent to the BQP/qpoly machine by a benevolent 
"advisor," through a one-way quantum communication channel. I then give a novel protocol 
for simulating that quantum channel using a classical channel. Besides showing that 
BQP/qpoly C PP/poly, the simulation protocol also implies that for all Boolean functions 
/ : {0, l} n x {0, l} m -> {0, 1} (partial or total), we have D 1 (/) = O (m Qi, (/) log (/)) , 
where D 1 (/) is the deterministic one-way communication complexity of /, and Q2 (/) is 
the bounded-error quantum one-way communication complexity. This can be considered 
a generalization of the "dense quantum coding" lower bound due to Ambainis, Nayak, 
Ta-Shma, and Vazirani |32| . 

The second result in Chapter El] is that there exists an oracle relative to which 
NP <f_ BQP/qpoly. This extends the result of Bennett et al. jjll that there exists an 
oracle relative to which NP <f_ BQP, to handle quantum advice. Intuitively, even though 
the quantum state \ip n ) could in some sense encode the solutions to exponentially many 
NP search problems, only a miniscule fraction of that information could be extracted by 
measuring the advice, at least in the black-box setting that we understand today. 

The proof of the oracle separation relies on another result of independent interest: 
a direct product theorem for quantum search. This theorem says that given an unordered 
database with n items, k of which are marked, any quantum algorithm that makes o (\/n) 
queries 7 has probability at most 2~ n ^ of finding all k of the marked items. In other 
words, there are no "magical" correlations by which success in finding one marked item 
leads to success in finding the others. This might seem intuitively obvious, but it does not 
follow from the y/n lower bound for Grover search, or any other previous quantum lower 
bound for that matter. Previously, Klauck |155j had given an incorrect proof of a direct 
product theorem, based on Bennett et al.'s hybrid method. I give the first correct proof by 
using the polynomial method, together with an inequality dealing with higher derivatives 
of polynomials due to V. A. Markov, the younger brother of A. A. Markov. 

The third result in Chapter ^3 is a new trace distance method for proving lower 
bounds on quantum one-way communication complexity. Using this method, I obtain 
optimal quantum lower bounds for two problems of Ambainis, for which no nontrivial lower 
bounds were previously known even for classical randomized protocols. 

Subsequently Klauck, Spalek, and de Wolf |156l improved this to o I \fnk\ queries, which is tight. 
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2.2 Models and Reality 

This thesis is concerned with the limits of efficient computation in Nature. It is not 
obvious that these coincide with the limits of the quantum computing model. Thus, Part 
[n] studies the relationship of the quantum computing model to physical reality. Of course, 
this is too grand a topic for any thesis, even a thesis as long as this one. I therefore 
focus on three questions that particularly interest me. First, how should we understand 
the arguments of "extreme" skeptics, that quantum computing is impossible not only in 
practice but also in principle? Second, what are the implications for quantum computing 
if we recognize that the speed of light is finite, and that according to widely-accepted 
principles, a bounded region of space can store only a finite amount of information? And 
third, are there reasonable changes to the quantum computing model that make it even 
more powerful, and if so, how much more powerful do they make it? Chapters El to ED 
address these questions from various angles; then Chapter 1171 summarizes. 

2.2.1 Skepticism of Quantum Computing 

Chapter^Jexamines the arguments of skeptics who think that large-scale quantum comput- 
ing is impossible for a fundamental physical reason. I first briefly consider the arguments of 
Leonid Levin and other computer scientists, that quantum computing is analogous to "ex- 
travagant" models of computation such as unit-cost arithmetic, and should be rejected on 
essentially the same grounds. My response emphasizes the need to grapple with the actual 
evidence for quantum mechanics, and to propose an alternative picture of the world that is 
compatible with that evidence but in which quantum computing is impossible. The bulk 
of the chapter, though, deals with Stephen Wolfram's A New Kind of Science |246l . and 
in particular with one of that book's most surprising claims: that a deterministic cellular- 
automaton picture of the world is compatible with the so-called Bell inequality violations 
demonstrating the effects of quantum entanglement. To achieve compatibility, Wolfram 
posits "long-range threads" between spacelike-separated points. I explain in detail why 
this thread proposal violates Wolfram's own desiderata of relativistic and causal invariance. 
Nothing in ChapterElis very original technically, but it seems worthwhile to spell out what 
a scientific argument against quantum computing would have to accomplish, and why the 
existing arguments fail. 

2.2.2 Complexity Theory of Quantum States 

Chapter El continues the train of thought begun in Chapter ll'21 except that now the focus is 
more technical. I search for a natural Sure/Shor separator: a set of quantum states that can 
account for all experiments performed to date, but that does not contain the states arising 
in Shor's factoring algorithm. In my view, quantum computing skeptics would strengthen 
their case by proposing specific examples of Sure/Shor separators, since they could then 
offer testable hypotheses about where the assumptions of the quantum computing model 
break down (if not how they break down). So why am I doing the skeptics' work for them? 
Several people have wrongly inferred from this that I too am a skeptic! My goal, rather, 
is to illustrate what a scientific debate about the possibility of quantum computing might 
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look like. 

Most of Chapter ED deals with a candidate Sure/Shor separator that I call tree 
states. Any n-qubit pure state \ip n ) can be represented by a tree, in which each leaf is 
labeled by |0) or |1), and each non-leaf vertex is labeled by either a linear combination or 
a tensor product of its subtrees. Then the tree size of \ip n ) is just the minimum number 
of vertices in such a tree, and a "tree state" is an infinite family of states whose tree size is 
bounded by a polynomial in n. The idea is to keep a central axiom of quantum mechanics — 
that if IV') and \ip) are possible states, so are (g) \(p) and a\ip) +f3 \ ip) — but to limit oneself 
to polynomially many applications of the axiom. 

The main results are superpolynomial lower bounds on tree size for explicit families 
of quantum states. Using a recent lower bound on multilinear formula size due to Raz 
195 , 196 , I show that many states arising in quantum error correction (for example, states 
based on binary linear erasure codes) have tree size n^ l ° sn \ I show the same for the states 
arising in Shor's algorithm, assuming a number-theoretic conjecture. Therefore, I argue, 
by demonstrating such states in the lab on a large number of qubits, experimentalists could 
weaken 8 the hypothesis that all states in Nature are tree states. 

Unfortunately, while I conjecture that the actual tree sizes are exponential, Raz's 
method is currently only able to show lower bounds of the form n^ 10 ^ . On the other hand, 
I do show exponential lower bounds under a restriction, called "manifest orthogonality," on 
the allowed linear combinations of states. 

More broadly, Chapter 1131 develops a complexity classification of quantum states, 
and — treating that classification as a subject in its own right — proves many basic results 
about it. To give a few examples: if a quantum computer is restricted to being in a tree 
state at every time step, then it can be simulated in the third level of polynomial hierarchy 
PH. A random state cannot even be approximated by a state with sub exponential tree 
size. Any "orthogonal tree state" can be prepared by a polynomial-size quantum circuit. 
Collapses of quantum state classes would imply collapses of ordinary complexity classes, 
and vice versa. Many of these results involve unexpected connections between quantum 
computing and classical circuit complexity. For this reason, I think that the "complexity 
theory of quantum states" has an intrinsic computer-science motivation, besides its possible 
role in making debates about quantum mechanics' range of validity less philosophical and 
more scientific. 

2.2.3 Quantum Search of Spatial Regions 

A basic result in classical computer science says that Turing machines are polynomially 
equivalent to random-access machines. In other words, we can ignore the fact that the 
speed of light is finite for complexity purposes, so long as we only care about polynomial 
equivalence. It is easy to see that the same is true for quantum computing. Yet one of the 
two main quantum algorithms, Grover's algorithm, provides only a polynomial speedup. 9 
So, does this speedup disappear if we consider relativity as well as quantum mechanics? 

8 Since tree size is an asymptotic notion (and for other reasons discussed in Chapter 1 1311 . strictly speaking 
experimentalists could never refute the hypothesis — just push it beyond all bounds of plausibility. 

9 If Grover's algorithm is applied to a combinatorial search space of size 2™, then the speedup is by a 
factor of 2 n/2 — but in this case the speedup is only conjectured, not proven. 



15 



More concretely, suppose a "quantum robot" is searching a 2-D grid of size y/nx y/n 
for a single marked item. The robot can enter a superposition of grid locations, but moving 
from one location to an adjacent one takes one time step. How many steps are needed to 
find the marked item? If Grover's algorithm is implemented naively, the answer is order 
n — since each of the y/n Grover iterations takes y/n steps, just to move the robot across 
the grid and back. This yields no improvement over classical search. Benioff [SU] noticed 
this defect of Grover's algorithm as applied to a physical database, but failed to raise the 
question of whether or not a faster algorithm exists. 

Sadly, I was unable to prove a lower bound showing that the naive algorithm is 
optimal. But in joint work with Andris Ambainis, we did the next best thing: we proved 
the impossibility of proving a lower bound, or to put it crudely, gave an algorithm. In 
particular, Chapter 1141 shows how to search a y/n x y/n grid for a unique marked vertex in 

only O (^y/nlog^^ 2 nj steps, by using a carefully-optimized recursive Grover search. It also 

shows how to search a d-dimensional hypercube in O (y/n) steps for d > 3. The latter result 
has an unexpected implication: namely, that the quantum communication complexity of 
the disjointness function is O (y/n). This matches a lower bound of Razborov 199 , and 
improves previous upper bounds due to Buhrman, Cleve, and Wigderson [21] and H0yer 
and de Wolf [Tift] . 

Chapter 1141 also generalizes our search algorithm to handle multiple marked items, 
as well as graphs that are not hypercubes but have sufficiently good expansion properties. 
More broadly, the chapter develops a new model of quantum query complexity on graphs, 
and proves basic facts about that model, such as lower bounds for search on "starfish" 
graphs. Of particular interest to physicists will be Section [14.31 which relates our results 
to fundamental limits on information processing imposed by the holographic principle. For 
example, we can give an approximate answer to the following question: assuming a positive 
cosmological constant A > 0, and assuming the only constraints (besides quantum mechan- 
ics) are the speed of light and the holographic principle, how large a database could ever be 
searched for a specific entry, before most of the database receded past one's cosmological 
horizon? 

2.2.4 Quantum Computing and Postselection 

There is at least one foolproof way to solve NP-complete problems in polynomial time: guess 
a random solution, then kill yourself if the solution is incorrect. Conditioned on looking at 
anything at all, you will be looking at a correct solution! It's a wonder that this approach 
is not tried more often. 

The general idea, of throwing out all runs of a computation except those that 
yield a particular result, is called postselection. Chapter 1151 explores the general power of 
postselection when combined with quantum computing. I define a new complexity class 
called PostBQP: the class of problems solvable in polynomial time on a quantum computer, 
given the ability to measure a qubit and assume the outcome will be |1) (or equivalently, 
discard all runs in which the outcome is |0)). I then show that PostBQP coincides with the 
classical complexity class PP. 

Surprisingly, this new characterization of PP yields an extremely simple, quantum 
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computing based proof that PP is closed under intersection. This had been an open 
problem for two decades, and the previous proof, due to Beigel, Reingold, and Spielman 
|47j . used highly nontrivial ideas about rational approximations of the sign function. I 
also reestablish an extension of the Beigel-Reingold-Spielman result due to Fortnow and 
Reingold |115j . that PP is closed under polynomial-time truth-table reductions. Indeed, I 
show that PP is closed under BQP truth-table reductions, which seems to be a new result. 

The rest of Chapter El studies the computational effects of simple changes to the 
axioms of quantum mechanics. In particular, what if we allow linear but nonunitary trans- 
formations, or change the measurement probabilities from \a\ 2 to \a\ p (suitably normalized) 
for some p ^ 2? I show that the first change would yield exactly the power of PostBQP, 
and therefore of PP; while the second change would yield PP if p € {4, 6, 8, . . .}, and some 
class between PP and PSPACE otherwise. 

My results complement those of Abrams and Lloyd ^H] > who showed that nonlinear 
quantum mechanics would let us solve NP- and even #P-complete problems in polynomial 
time; and Brun |72| and Bacon |4U| . who showed the same for quantum computers involving 
closed timelike curves. Taken together, these results lend credence to an observation of 
Weinberg |241j : that quantum mechanics is a "brittle" theory, in the sense that even a tiny 
change to it would have dramatic consequences. 

2.2.5 The Power of History 

Contrary to widespread belief, what makes quantum mechanics so hard to swallow is not 
indeterminism about the future trajectory of a particle. That is no more bizarre than a 
coin flip in a randomized algorithm. The difficulty is that quantum mechanics also seems 
to require indeterminism about a particle's past trajectory. Or rather, the very notion 
of a "trajectory" is undefined — for until the particle is measured, there is just an evolving 
wavefunction. 

In spite of this, Schrodinger |2LS| . Bohm [23, Bell and others proposed hidden- 
variable theories, in which a quantum state is supplemented by "actual" values of certain 
observables. These actual values evolve in time by a dynamical rule, in such a way that 
the predictions of quantum mechanics are recovered at any individual time. On the other 
hand, it now makes sense to ask questions like the following: "Given that a particle was 
at location x% at time t\ (even though it was not measured at ti), what is the probability 
of it being at location x<i at time £2?" The answers to such questions yield a probability 
distribution over possible trajectories. 

Chapter 1161 initiates the study of hidden variables from the discrete, abstract per- 
spective of quantum computing. For me, a hidden-variable theory is simply a way to 
convert a unitary matrix that maps one quantum state to another, into a stochastic matrix 
that maps the initial probability distribution to the final one in some fixed basis. I list 
five axioms that we might want such a theory to satisfy, and investigate previous hidden- 
variable theories of Dieks and Schrodinger |2LS| in terms of these axioms. I also propose 
a new hidden- variable theory based on network flows, which are classic objects of study in 
computer science, and prove that this theory satisfies two axioms called "indifference" and 
"robustness." A priori, it was not at all obvious that these two key axioms could be satisfied 
simultaneously. 
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Next I turn to a new question: the computational complexity of simulating hidden- 
variable theories. I show that, if we could examine the entire history of a hidden variable, 
then we could efficiently solve problems that are believed to be intractable even for quan- 
tum computers. In particular, under any hidden- variable theory satisfying the indifference 
axiom, we could solve the Graph Isomorphism and Approximate Shortest Vector prob- 
lems in polynomial time, and indeed could simulate the entire class SZK (Statistical Zero 
Knowledge). Combining this result with the collision lower bound of Chapter we get an 
oracle relative to which BQP is strictly contained in DQP, where DQP (Dynamical Quantum 
Polynomial-Time) is the class of problems efficiently solvable by sampling histories. 

Using the histories model, I also show that one could search an iV-item database 
using O (iVV3) 

queries, as opposed to O (^/N^j with Grover's algorithm. On the other 

hand, the 7V 1//3 bound is tight, meaning that one could probably not solve NP-complete 
problems in polynomial time. We thus obtain the first good example of a model of com- 
putation that appears slightly more powerful than the quantum computing model. 

In summary, Chapter ED ties together many of the themes of this thesis: the 
black-box limitations of quantum computers; the application of nontrivial computer science 
techniques; the obsession with the computational resources needed to simulate our universe; 
and finally, the use of quantum computing to shine light on the mysteries of quantum 
mechanics itself. 
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Chapter 3 

Complexity Theory Cheat Sheet 

"If pigs can whistle, then donkeys can fly." 

(Summary of complexity theory, attributed to Richard Karp) 

To most people who are not theoretical computer scientists, the theory of compu- 
tational complexity — one of the great intellectual achievements of the twentieth century — is 
simply a meaningless jumble of capital letters. The goal of this chapter is to turn it into a 
meaningful jumble. 

In computer science, a problem is ordinarily an infinite set of yes-or-no questions: 
for example, "Given a graph, is it connected?" Each particular graph is an instance of the 
general problem. An algorithm for the problem is polynomial-time if, given any instance as 
input, it outputs the correct answer after at most kn c steps, where k and c are constants, 
and n is the length of the instance, or the number of bits needed to specify it. For example, 
in the case of a directed graph, n is just the number of vertices squared. Then P is the class 
of all problems for which there exists a deterministic classical polynomial-time algorithm. 
Examples of problems in P include graph connectivity, and (as was discovered two years 
ago J7j) deciding whether a positive integer written in binary is prime or composite. 

Now, NP (Nondeterministic Polynomial-Time) is the class of problems for which, if 
the answer to a given instance is 'y es \ then an omniscient wizard could provide a polynomial- 
size proof of that fact, which would enable us to verify it in deterministic polynomial time. 
As an example, consider the Satisfiability problem: "given a formula involving the Boolean 
variables xi, . . . ,x n and the logical connectives A, V, n (and, or, not), is there an assignment 
to the variables that makes the formula true?" If there is such an assignment, then a 
short, easily-verified proof is just the assignment itself. On the other hand, it might be 
extremely difficult to find a satisfying assignment without the wizard's help — or for that 
matter, to verify the absence of a satisfying assignment, even given a purported proof of 
its absence from the wizard. The question of whether there exist polynomial-size proofs 
of ^satisfiability that can be verified in polynomial time is called the NP versus coNP 
question. Here coNP is the class containing the complement of every NP problem — for 
example, "given a Boolean formula, is it not satisfiable?" 

The Satisfiability problem turns out to be NP-complete, which means it is among 
the "hardest" problems in NP: any instance of any NP problem can be efficiently converted 
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into an instance of Satisfiability. The central question, of course, is whether NP-complete 
problems are solvable in polynomial time, or equivalently whether P = NP (it being clear 
that P C NP). By definition, if any NP-complete problem is solvable in polynomial time, 
then all of them are. One thing we know is that if P 7^ NP, as is almost universally assumed, 
then there are problems in NP that are neither in P nor NP-complete 162 . Candidates for 
such "intermediate" problems include deciding whether or not two graphs are isomorphic, 
and integer factoring (e.g. given integers N, M written in binary, does iV have a prime factor 
greater than Ml). The N P-intermediate problems have been a major focus of quantum 
algorithms research. 

3.1 The Complexity Zoo Junior 

I now present a glossary of 12 complexity classes besides P and NP that appear in this 
thesis; non-complexity-theorist readers might wish to refer back to it as needed. The 
known relationships among these classes are diagrammed in Figure 13.11 These classes 
represent a tiny sample of the more than 400 classes described on my Complexity Zoo web 
page (www.complexityzoo.com). 

PS PACE (Polynomial Space) is the class of problems solvable by a deterministic 
classical algorithm that uses a polynomially-bounded amount of memory. Thus NP C 
PSPACE, since a PSPACE machine can loop through all possible proofs. 

EXP (Exponential-Time) is the class of problems solvable by a deterministic 
classical algorithm that uses at most 2 q ^ time steps, for some polynomial q. Thus 
PSPACE C EXP. 

BPP (Bounded-Error Probabilistic Polynomial-Time) is the class of prob- 
lems solvable by a probabilistic classical polynomial-time algorithm, which given any in- 
stance, must output the correct answer for that instance with probability at least 2/3. 
Thus P C BPP C PSPACE. It is widely conjectured that BPP = P pH], but not even 
known that BPP C NP. 

PP (Probabilistic Polynomial-Time) is the class of problems solvable by a 
probabilistic classical polynomial-time algorithm, which given any instance, need only out- 
put the correct answer for that instance with probability greater than 1/2. The following 
problem is PP-complete: given a Boolean formula 92, decide whether at least half of the 
possible truth assignments satisfy ip. We have NP C PP C PSPACE and also BPP C PP. 

P# p (pronounced "P to the sharp-P") is the class of problems solvable by 
a P machine that can access a "counting oracle." Given a Boolean formula ip, this oracle 
returns the number of truth assig nments that satisfy (p. We have PP C P# p C PSPACE. 

BQP (Bounded-Error Quantum Polynomial-Time) is the class of problems 
solvable by a quantum polynomial-time algorithm, which given any instance, must output 
the correct answer for that instance with probability at least 2/3. More information is in 
Chapter H We have BPP C BQP C PP pHITfi]. 

EQP (Exact Quantum Polynomial-Time) is similar to BQP, except that the 
probability of correctness must be 1 instead of 2/3. This class is extremely artificial; it 
is not even clear how to define it independently of the choice of gate set. But for any 
reasonable choice, P C EQP C BQP. 



20 



P/poly (P with polynomial-size advice) is the class of problems solvable by a 
P algorithm that, along with a problem instance of length n, is also given an "advice string" 
z n of length bounded by a polynomial in n. The only constraint is that z n can depend 
only on n, and not on any other information about the instance. Otherwise the z^s can be 
chosen arbitrarily to help the algorithm. It is not hard to show that BPP C P/poly. Since 
the z^s can encode noncomputable problems (for example, does the nP 1 Turing machine 
halt?), P/poly is not contained in any uniform complexity class, where "uniform" means 
that the same information is available to an algorithm regardless of n. We can also add 
polynomial-size advice to other complexity classes, obtaining EXP/poly, PP/poly, and so 
on. 

PH (Polynomial-Time Hierarchy) is the union of NP, NP NP , NP NpNP , etc. 
Equivalently, PH is the class of problems that are polynomial-time reducible to the follow- 
ing form: for all truth assignments x, does there exist an assignment y such that for all 
assignments z, . . . , ip (x, y, z, . . .) is satisfied, where <p is a Boolean formula? Here the num- 
ber of alternations between "for all" and "there exists" quantifiers is a constant independent 
of n. Sipser |222j and Lautemann |163| showed that BPP C PH, while Toda {228} showed 
that PH C P# p . 

MA (Merlin Arthur) is the class of problems for which, if the answer to a given 
instance is 'yes,' then an omniscient wizard could provide a polynomial-size proof of that 
fact, which would enable us to verify it in BPP (classical probabilistic polynomial-time, with 
probability at most 1/3 of accepting an invalid proof or rejecting a valid one). We have 
NP C MA C PP. 

AM (Arthur Merlin) is the class of problems for which, if the answer to a given 
instance is 'yes,' then a BPP algorithm could become convinced of that fact after a constant 
number of rounds of interaction with an omniscient wizard. We have MA C AM C PH. 
There is evidence that AM = MA = NP [ToTj . 

SZK (Statistical Zero Knowledge) is the class of problems that possess "sta- 
tistical zero-knowledge proof protocols." We have BPP C SZK C AM. Although SZK 
contains nontrivial problems such as graph isomorphism |130j . there are strong indications 
that it does not contain all of NP |63| . 

Other complexity classes, such as PLS, TFNP, BQP/qpoly, and BPP pat h, will be 
introduced throughout the thesis as they are needed. 

3.2 Notation 

In computer science, the following symbols are used to describe asymptotic growth rates: 

• F (n) = O (G (n)) means that F (n) is at most order G (n); that is, F (n) < a + bG (n) 
for all n > and some nonnegative constants a, b. 

• F (n) = Q(G (n)) means that F (n) is at least order G (n); that is, G (n) = O (F (n)). 

• F (n) = O [G (n)) means that F (n) is exactly order G (n); that is, F (n) = O (G (n)) 
andF(n) = Q(G{n)). 
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Figure 3.1: Known relations among 14 complexity classes. 



• F (n) = o(G (n)) means that F (n) is less than order G (n); that is, F (n) = O (G (n)) 
but not F{n) =tt(G(n)). 

The set of all n-bit strings is denoted {0,1}™. The set of all binary strings, 
U n > {0,l} n , is denoted {0,1}*. 

3.3 Oracles 

One complexity-theoretic concept that will be needed again and again in this thesis is that 
of an oracle. An oracle is a subroutine available to an algorithm, that is guaranteed to 
compute some function even if we have no idea how. Oracles are denoted using superscripts. 
For example, P NP is the class of problems solvable by a P algorithm that, given any instance 
of an NP-complete problem such as Satisfiability, can instantly find the solution for that 
instance by calling the NP oracle. The algorithm can make multiple calls to the oracle, and 
these calls can be adaptive (that is, can depend on the outcomes of previous calls). If a 
quantum algorithm makes oracle calls, then unless otherwise specified we assume that the 
calls can be made in superposition. Further details about the quantum oracle model are 
provided in Chapter 

We identify an oracle with the function that it computes, usually a Boolean func- 
tion / : {0, 1}* — > {0, 1}. Often we think of / as defining a problem instance, or rather 
an infinite sequence of problem instances, one for each positive integer n. For example, 
"does there exist an x £ {0, l} n such that / (x) = 1?" In these cases the oracle string, 
which consists of / (x) for every x £ {0, l} n , can be thought of as an input that is 2 n bits 
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long instead of n bits. Of course, a classical algorithm running in polynomial time could 
examine only a tiny fraction of such an input, but maybe a quantum algorithm could do 
better. When discussing such questions, we need to be careful to distinguish between two 
functions: / itself, and the function of the oracle string that an algorithm is trying is to 
compute. 
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Chapter 4 

Quantum Computing Cheat Sheet 



"Somebody says . . . 'You know those quantum mechanical amplitudes you told 
me about, they're so complicated and absurd, what makes you think those are 
right? Maybe they aren't right.' Such remarks are obvious and are perfectly 
clear to anybody who is working on this problem. It does not do any good to 
point this out." 

— Richard Feynman, The Character of Physical Law jlL)9j 

Non-physicists often have the mistaken idea that quantum mechanics is hard. 
Unfortunately, many physicists have done nothing to correct that idea. But in newer 
textbooks, courses, and survey articles [El EH E3 EES EES] , the truth is starting to come 
out: if you wish to understand the central 'paradoxes' of quantum mechanics, together with 
almost the entire body of research on quantum information and computing, then you do 
not need to know anything about wave-particle duality, ultraviolet catastrophes, Planck's 
constant, atomic spectra, boson-fermion statistics, or even Schrddinger's equation. All you 
need to know is how to manipulate vectors whose entries are complex numbers. If that is 
too difficult, then positive and negative real numbers turn out to suffice for most purposes 
as well. After you have mastered these vectors, you will then have some context if you wish 
to learn more about the underlying physics. But the historical order in which the ideas 
were discovered is almost the reverse of the logical order in which they are easiest to learn! 

What quantum mechanics says is that, if an object can be in either of two per- 
fectly distinguishable states, which we denote |0) and |1), then it can also be in a linear 
"superposition" of those states, denoted a |0) + /3 |1). Here a and /3 are complex numbers 
called "amplitudes," which satisfy \a\ 2 + |/3| 2 = 1. The asymmetric brackets | ) are called 
"Dirac ket notation" ; one gets used to them with time. 

If we measure the state a |0)+/3 |1) in a standard way, then we see the "basis state" 
|0) with probability |a| 2 , and |1) with probability |/3| 2 . Also, the state changes to whichever 
outcome we see — so if we see |0) and then measure again, nothing having happened in the 
interim, we will still see |0). The two probabilities \a\ 2 and \f3\ 2 sum to 1, as they ought 
to. So far, we might as well have described the object using classical probabilities — for 
example, "this cat is alive with probability 1/2 and dead with probability 1/2; we simply 
don't know which." 
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The difference between classical probabilities and quantum amplitudes arises in 
how the object's state changes when we perform an operation on it. Classically, we can 
multiply a vector of probabilities by a stochastic matrix, which is a matrix of nonnegative 
real numbers each of whose columns sums to 1. Quantum- mechanically, we multiply the 
vector of amplitudes by a unitary matrix, which is a matrix of complex numbers that maps 
any unit vector to another unit vector. (Equivalently, U is unitary if and only if its inverse 
U^ 1 equals its conjugate transpose U* .) As an example, suppose we start with the state 
|0), which corresponds to the vector of amplitudes 

1 



We then left-multiply this vector by the unitary matrix 
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which maps the vector to 



and therefore the state |0) to 
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If we now measured, we would see |0) with probability 1/2 and |1) with probability 1/2. 
The interesting part is what happens if we apply the same operation U a second time, 
without measuring. We get 
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which is |1) with certainty (see Figure l4~Tj) . Applying a "randomizing" operation to a 
"random" state produces a deterministic outcome! The reason is that, whereas probabilities 
are always nonnegative, amplitudes can be positive, negative, or even complex, and can 
therefore cancel each other out. This interference of amplitudes can be considered the 
source of all "quantum weirdness." 



4.1 Quantum Computers: N Qubits 

The above description applied to "qubits," or objects with only two distinguishable states. 
But it generalizes to objects with a larger number of distinguishable states. Indeed, in 
quantum computing we consider a system of N qubits, each of which can be |0) or |1). We 
then need to assign amplitudes to all 2 N possible outcomes of measuring the qubits in order 
from first to last. So the computer's state has the form 

\tf>)= Yl 
ze{0,i} N 
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Figure 4.1: Quantum states of the form a |0) + f3 |1), with a and f3 real, can be represented 
by unit vectors in the plane. Then the operation U corresponds to a 45° counterclockwise 
rotation. 



What was just said is remarkable — for it suggests that Nature needs to keep track of 2 
complex numbers just to describe a state of N interacting particles. If N = 300, then this 
is already more complex numbers than there are particles in the known universe. The goal 
of quantum computing is to exploit this strange sort of parallelism that is inherent in the 
laws of physics as we currently understand them. 

The difficulty is that, when the computer's state is measured, we only see one of 
the "basis states" \x), not the entire collection of amplitudes. However, for a few specific 
problems, we might be able to arrange things so that basis states corresponding to wrong 
answers all have amplitudes close to 0, because of interference between positive and negative 
contributions. If we can do that, then basis states corresponding to right answers will be 
measured with high probability. 

More explicitly, a quantum computer applies a sequence of unitary matrices called 
gates, each of which acts on only one or two of the N qubits (meaning that is a tensor 
product of the identity operation on N — 1 or N — 2 qubits, and the operation of interest on 
the remaining qubits). As an example, the controlled- NOT or CNOT gate is a two-qubit 
gate that flips a "target" qubit if a "control" qubit is 1, and otherwise does nothing: 



where 




ze{o,i} 



N 



|00>-|00>, |01>-|01>, |10>-|11>, 



11>-|10>. 



The unitary matrix corresponding to the CNOT gate is 



10 
10 
1 
10 
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Adleman, DeMarrais, and Huang |16j showed that the CNOT gate, together with the one- 
qubit gate 

r 3 _4 -| 

5 5 
* 3 > 
. 5 5 J 

constitute a universal set of quantum gates, in that they can be used to approximate any 
other gate to any desired accuracy. Indeed, almost any set of one- and two-qubit gates is 
universal in this sense [,94. 

A quantum circuit is just a sequence of gates drawn from a finite universal set. 
Without loss of generality, we can take the circuit's output to be the result of a single 
measurement after all gates have been applied; that is, z G {0, 1}^ with probability \a z \ 2 . 
(If a binary output is needed, we simply throw away the last N — 1 bits of z.) It is known 
that allowing intermediate measurements does not yield any extra computational power 
|55j . The circuit is polynomial- size if both N and the number of gates are upper-bounded 
by a polynomial in the length n of the input. 

We can now define the important complexity class BQP, or Bounded-Error Quan- 
tum Polynomial-Time. Given an input x E {0, 1}™, first a polynomial-time classical algo- 
rithm A prepares a polynomial-size quantum circuit U x . (The requirement that the circuit 
itself be efficiently preparable is called uniformity.) Then U x is applied to the "all-0" initial 
state |0)® . We say a language L C {0, l} n is in BQP if there exists an A such that for all 
x, 

(i) If x £ L then U x outputs '1' with probability at least 2/3. 

(ii) If x ^ L then U x outputs '0' with probability at least 2/3. 

By running U x multiple times and taking the majority answer, we can boost the 
probability of success from 2/3 to 1 — 2 _p ( n ) for any polynomial p. 

BQP was first defined in a 1993 paper by Bernstein and Vazirani . 1 That paper 
marked a turning point. Before, quantum computing had been an idea, explored in pio- 
neering work by Deutsch [5U|, Feynman |1U8| . and others. Afterward, quantum computing 
was a full-fledged model in the sense of computational complexity theory, which could be 
meaningfully compared against other models. For example, Bernstein and Vazirani showed 
that BPP C BQP C P# p : informally, quantum computers are at least as powerful as classi- 
cal probabilistic computers, and at most exponentially more powerful. (The containment 
BQP C P# p was later improved to BQP C PP by Adleman, DeMarrais, and Huang |16j.) 

Bernstein and Vazirani also gave an oracle problem called Recursive Fourier Sam- 
pling (RFS), and showed that it requires n^ osn ' classical probabilistic queries but only n 
quantum queries. This provided the first evidence that quantum computers are strictly 
more powerful than classical probabilistic computers, i.e. that BPP ^ BQP. Soon after- 
ward, Simon |220| widened the gap to polynomial versus exponential, by giving an ora- 
cle problem that requires fi (2 71 / 2 ) classical probabilistic queries but only O (n) quantum 

As a historical note, Bernstein and Vazirani 55 denned BQP in terms of "quantum Turing machines." 
However, Yao |248| showed that Bernstein and Vazirani's definition is equivalent to the much simpler one 
given here. Also, Berthiaume and Brassard | 57| had implicitly defined EQP (Exact Quantum Polynomial- 
Time) a year earlier, and had shown that it lies outside P and even NP relative to an oracle. 
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queries. However, these results attracted limited attention because the problems seemed 
artificial. 

People finally paid attention when Shor |219J showed that quantum computers 
could factor integers and compute discrete logarithms in polynomial time. The security 
of almost all modern cryptography rests on the presumed intractability of those two prob- 
lems. It had long been known |177j that factoring is classically reducible to the following 
problem: given oracle access to a periodic function / : {1, . . . , R} — > {1, . . . , R}, where R is 
exponentially large, find the period of /. Shor gave an efficient quantum algorithm for this 
oracle problem, by exploiting the quantum Fourier transform, a tool that had earlier been 
used by Simon. (The algorithm for the discrete logarithm problem is more complicated 
but conceptually similar.) 

Other results in the "quantum canon," such as Grover's algorithm |139j and meth- 
ods for quantum error-correction and fault-tolerance |2Ull8UlH321ll591l225j . will be discussed 
in this thesis as the need arises. 

4.2 Further Concepts 

This section summarizes "fancier" quantum mechanics concepts, which are needed for Part 
ITT1 and for Chapter ^3 of Part [I] (which deals with quantum advice) . They are not needed 
for the other chapters in Part[lJ 

Tensor Product. If \tp) and \ip) are two quantum states, then their tensor 
product, denoted \ip) (g> \ip) or \ip) \(p), is just a state that consists of \ip) and \ip) next to each 
other. For example, if \ip) = a |0) + P |1) and \tp) = 7 |0) + 6 |1), then 

\ip)\<p) = (a|0)+/3|l))(7|0) + *|l)) = 07|00) + a5|01)+)S7|10)+/35|ll). 

Inner Product. The inner product between two states \tp) = a\ • -+oim \ N) 
and \tp) = Pi |1) -| + Pn \N) is defined as 

{ip\<p} = a* P\ H h a* N P N 

where * denotes complex conjugate. The inner product satisfies all the expected properties, 
such as {ip\ip) = 1 and 

(vi (\<p) + m = {m + (m ■ 

If (ip\<p) = then we say and \tp) are orthogonal. 

General Measurements. In principle, we can choose any orthogonal basis of 
states {\(pi) , . . . ,\(pw)} in which to measure a state (Whether that measurement 

can actually be performed efficiently is another matter.) Then the probability of obtaining 
outcome \<pj) is K^l^j)! 2 - We can even measure in a non-orthogonal basis, a concept called 
Positive Operator Valued Measurements (POVM's) that I will not explain here. None of 
these more general measurements increase the power of the quantum computing model, 
since we can always produce the same effect by first applying a unitary matrix (possibly 
using additional qubits called ancillas), and then measuring in a "standard" basis such as 
{\1),...,\N)}. 
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Mixed States. Superposition states, such as a\0) + (3\1), are also called pure 
states. This is to distinguish them from mixed states, which are the most general kind 
of state in quantum mechanics. Mixed states are just classical probability distributions 
over pure states. There is a catch, though: any mixed state can be decomposed into 
a probability distribution over pure states in infinitely many nonequivalent ways. For 
example, if we have a state that is |0) with probability 1/2 and |1) with probability 1/2, then 
no experiment could ever distinguish it from a state that is (|0) + |1)) /\/2 with probability 
1/2 and (|0) — |1)) /\^2 with probability 1/2. For regardless of what orthogonal basis we 
measured in, the two possible outcomes of measuring would both occur with probability 
1/2. Therefore, this state is called the one-qubit maximally mixed state. 

Density Matrices. We can represent mixed states using a formalism called 
density matrices. The outer product of = ct\ |1) + • ■ ■ + cun \N) with itself, denoted 
\ip) {ip\, is an N x N complex matrix whose (i,j) entry is 0,0^. Now suppose we have a 
state that is \tp) = a |0) + /3 |1) with probability p, and \<f>) = 7 |0) + <5 |1) with probability 
1 — p. We represent the state by a Hermitian positive definite matrix p with trace 1, as 
follows: 



P = P\<f) (<P\ 



P 



aa* a/3* 
Pa* (3/3* 



+ (1-P) 



77* 7<5* 
5j* 55* 



When we apply a unitary operation U, the density matrix p changes to UpU" 1 . When 
we measure in the standard basis, the probability of outcome \ j) is the j th diagonal entry 
of p. Proving that these rules are the correct ones, and that a density matrix really is a 
unique description of a mixed state, are "exercises for the reader" (which as always means 
the author was too lazy). Density matrices will mainly be used in Chapter I1UI 

Trace Distance. Suppose you are given a system that was prepared in state p 
with probability 1/2, and a with probability 1/2. After making a measurement, you must 
guess which state the system was prepared in. What is the maximum probability that you 
will be correct? The answer turns out to be 



1 + 



tr 



where \\p — cr|| tr is the trace distance between p and a, defined as | ^ |Aj| where Ai, . . . , Ajy 
are the eigenvalues of p — a. 

Entanglement. Suppose p is a joint state of two systems. If p can be written as 
a probability distribution over pure states of the form \ip) (g> \(p), then we say p is separable; 
otherwise p is entangled. 

Hamiltonians. Instead of discrete unitary operations, we can imagine that a 
quantum state evolves in time by a continuous rotation called a Hamiltonian. A Hamil- 
tonian is an N x N Hermitian matrix H. To find the unitary operation U (t) that is 
effected by "leaving H on" for t time steps, the rule 2 is U (t) = e~ tHt . The only place I 
use Hamiltonians is in Chapter 1141 and even there the use is incidental. 



2 Here Planck's constant is set equal to 1 as always. 
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Limitations of Quantum 
Computers 
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Chapter 5 

Introduction 



"A quantum possibility is less real than a classical reality, but more real than 
a classical possibility." 
— Boris Tsirelson |229j 

Notwithstanding accounts in the popular press, a decade of research has made it 
clear that quantum computers would not be a panacea. In particular, we still do not have a 
quantum algorithm to solve NP-complete problems in polynomial time. But can we prove 
that no such algorithm exists, i.e. that NP <f_ BQP? The difficulty is that we can't even 
prove no classical algorithm exists; this is the P versus NP question. Of course, we could 
ask whether NP <£_ BQP assuming that P 7^ NP — but unfortunately, even this conditional 
question seems far beyond our ability to answer. So we need to refine the question even 
further: can quantum computers solve NP-complete problems in polynomial time, by brute 
force? 

What is meant by "brute force" is the following. In Shor's factoring algorithm 
219 , we prepare a superposition of the form 

1 R 

v r=l 

where g (r) = x r modiV for some x,N. But as far as the key step of the algorithm is 
concerned, the function g is a "black box." Given any superposition like the one above, 
the algorithm will find the period of g assuming g is periodic; it does not need further 
information about how g was computed. So in the language of Section 13.31 we might as 
well say that g is computed by an oracle. 

Now suppose we are given a Boolean formula <p over n variables, and are asked to 
decide whether ip is satisfiable. One approach would be to exploit the internal structure 
of (p: "let's see, if I set variable X37 to TRUE, then this clause here is satisfied, but those 
other clauses aren't satisfied any longer . . . darn!" However, inspired by Shor's factoring 
algorithm, we might hope for a cruder quantum algorithm that treats <p merely as an oracle, 
mapping an input string x £ {0, l} n to an output bit (p (x) that is 1 if and only if x satisfies 
ip. The algorithm would have to decide whether there exists an x £ {0, 1}™ such that 
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(p(x) = 1, using as few calls to the ip oracle as possible, and not learning about ip in any 
other way. This is what is meant by brute force. 

A fundamental result of Bennett, Bernstein, Brassard, and Vazirani [SJ sa y s that 
no brute- force quantum algorithm exists to solve NP-complete problems in polynomial time. 
In particular, for some probability distribution over oracles, any quantum algorithm needs 
ft (2 n / 2 ) oracle calls to decide, with at least a 2/3 chance of being correct, whether there 
exists an x 6 {0, l} n such that ip (x) = 1. On a classical computer, of course, © (2 n ) oracle 
calls are necessary and sufficient. But as it turns out, Bennett et al.'s quantum lower bound 
is tight, since Grover's quantum search algorithm |139j can find a satisfying assignment (if 
it exists) quadratically faster than any classical algorithm. Amusingly, Grover's algorithm 
was proven optimal before it was discovered to exist! 

A recurring theme in this thesis is the pervasiveness of Bennett et al.'s finding. I 
will show that, even if a problem has considerably more structure than the basic Grover 
search problem, even if "quantum advice states" are available, or even if we could examine 
the entire history of a hidden variable, still any brute-force quantum algorithm would take 
exponential time. 



5.1 The Quantum Black-Box Model 

The quantum black-box model formalizes the idea of a brute- force algorithm. For the time 
being, suppose that a quantum algorithm's goal is to evaluate / (A), where / : {0, l} n — > 
{0, 1} is a Boolean function and X = x\ . . . x n is an n-bit string. Then the algorithm's 
state at any time t has the form 

i,z 

Here i G {1, . . . ,N} is the index of an oracle bit Xi to query, and z is an arbitrarily large 
string of bits called the "workspace," containing whatever information the algorithm wants 
to store there. The state evolves in time via an alternating sequence of algorithm steps and 
query steps. An algorithm step multiplies the vector of a^'s by an arbitrary unitary matrix 
that does not depend on A. It does not matter how many quantum gates would be needed 
to implement this matrix. A query step maps each basis state \i,z) to \i, z © Xi), effecting 
the transformation af^ = otf\ m .. Here Z © Xi IS the string z, with X{ exclusive-OR'ed 
into a particular location in z called the "answer bit." The reason exclusive-OR is used is 
that the query step has to be reversible, or else it would not be unitary. 

At the final step T, the state is measured in the standard basis, and the output of 
the algorithm is taken to be (say) z±, the first bit of z. The algorithm succeeds if 

i,z : z 1= f(X) 

for all X 6 {0, 1}". Here the constant 2/3 is arbitrary. Then the (bounded- error) quantum 
query complexity of /, denoted Q 2 (/), is the minimum over all quantum algorithms A that 
succeed at evaluating /, of the number of queries to / made by A. Here the '2' represents 
the fact that the error probability is two-sided. One can compare Q 2 (/) with Q (/), 
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or zero-error quantum query complexity; R2 (/), or bounded-error classical randomized 
query complexity; and D (/), or deterministic query complexity, among other complexity 
measures. Chapter |H1 will define many such measures and compare them in detail. 

As a simple example of the black-box model, let OR (x\, . . . , x n ) = x\ V ■ ■ ■ V x n . 
Then Graver's algorithm |139j implies that Q 2 (OR) = O {y/n), while the lower bound of 
Bennett et al. jSJ implies that Q 2 (OR) = ft (y/n). By comparison, D (OR) = i? 2 (OR) = 
6(n). 

The quantum black-box model has some simple generalizations, which I will use 
when appropriate. First, / can be a partial function, defined only on a subset of {0, l} n 
(so we obtain what is called a promise problem). Second, the x^s do not need to be bits; 
in Chapters El and they will take values from a larger range. Third, in Chapter the 
output will not be Boolean, and there will generally be more than one valid output (so we 
obtain what is called a relation problem). 

5.2 Oracle Separations 

"I do believe it 

Against an oracle." 

— Shakespeare, The Tempest 

Several times in this thesis, I will use a lower bound on quantum query complexity 
to show that a complexity class is not in BQP "relative to an oracle." The method for turning 
query complexity lower bounds into oracle separations was invented by Baker, Gill, and 
Solovay jlj to show that there exists an oracle A relative to which P A ^ NP A . Basically, 
they encoded into A an infinite sequence of exponentially hard search problems, one for 
each input length n, such that (i) a nondeterministic machine can solve the n th problem 
in time polynomial in n, but (ii) any deterministic machine would need time exponential 
in n. They guaranteed (ii) by "diagonalizing" against all possible deterministic machines, 
similarly to how Turing created an uncomputable real number by diagonalizing against all 
possible computable reals. Later, Bennett and Gill [SI] showed that a simpler way to 
guarantee (ii) is just to choose the search problems uniformly at random. Throughout the 
thesis, I will cavalierly ignore such issues, proceeding immediately from a query complexity 
lower bound to the statement of the corresponding oracle separation. 

The point of an oracle separation is to rule out certain approaches to solving 
an open problem in complexity theory. For example, the Baker-Gill-Solovay theorem 
implies that the standard techniques of computability theory, which relativize (that is, are 
"oblivious" to the presence of an oracle), cannot be powerful enough to show that P = NP. 
Similarly, the result of Bennett et al. that Q 2 (OR) = f2 (y/n) implies that there exists 
an oracle A relative to which NP A <f_ BQP A . While this does not show that NP <f_ BQP, 
it does show that any proof of NP C BQP would have to use "non-relativizing" techniques 
that are unlike anything we understand today. 

However, many computer scientists are skeptical that anything can be learned 
from oracles. The reason for their skepticism is that over the past 15 years, they have 
seen several examples of non-relativizing results in classical complexity theory. The most 
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famous of these is Shamir's Theorem [2151 I17f] that PSPACE C IP, where IP is the class of 
problems that have interactive proof systems, meaning that if the answer for some instance 
is "yes," then a polynomial-time verifier can become convinced of that fact to any desired 
level of confidence by exchanging a sequence of messages with an omniscient prover. 1 By 
contrast, oracles had been known relative to which not even coNP, let alone PSPACE, is 
contained in IP |117j . So why should we ever listen to oracles again, if they got interactive 
proofs so dramatically wrong? 

My answer is threefold. First, essentially all quantum algorithms that we know 
today — from Shor's algorithm, as discussed previously, to Grover's algorithm, to the quan- 
tum adiabatic algorithm 2 jlU6j . to the algorithms of Hallgren (141] and van Dam, Hallgren, 
and Ip |232j — are oracle algorithms at their core. We do not know of any non-relativizing 
quantum algorithm technique analogous to the arithmetization technique that was used to 
prove PSPACE C IP. If such a technique is ever discovered, I will be one of the first to 
want to learn it. 

The second response is that without oracle results, we do not have even the be- 
ginnings of understanding. Once we know (for example) that SZK <f_ BQP relative to an 
oracle, we can then ask the far more difficult unrelativized question, knowing something 
about the hurdles that any proof of SZK C BQP would have to overcome. 

The third response is that "the proof of the pudding is in the proving." In other 
words, the real justification for the quantum black-box model is not the a priori plausibility 
of its assumptions, but the depth and nontriviality of what can be (and has been) proved 
in it. For example, the result that coNP (t IP relative to an oracle |117j does not tell us 
much about interactive proof systems. For given an exponentially long oracle string X, it 
is intuitively obvious that nothing a prover could say could convince a classical polynomial- 
time verifier that X is the all-0 string, even if the prover and verifier could interact. The 
only issue is how to formalize that obvious fact by diagonalizing against all possible proof 
systems. By contrast, the quantum oracle separations that we have are not intuitively 
obvious in the same way; or rather, the act of understanding them confers an intuition 
where none was previously present. 



1 Arora, Impagliazzo, and Vazirani 1361 claim the Cook-Levin Theorem, that Satisfiability is NP-complete, 
as another non-relativizing result. But this hinges on what we mean by "non-relativizing," far more than 
the PSPACE C IP example. 

2 Given an assignment i to a 3SAT formula tp, the adiabatic algorithm actually queries an oracle that 
returns the number of clauses of ip that x satisfies, not just whether x satisfies ip or not. Furthermore, van 
Dam, Mosca, and Vazirani |233| have shown such an oracle is sufficient to reconstruct tp. On the other 
hand, the adiabatic algorithm itself would be just as happy with a fitness landscape that did not correspond 
to any 3SAT instance, and that is what I mean by saying that it is an oracle algorithm at the core. 
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Chapter 6 

The Collision Problem 



The collision problem of size n, or Col n , is denned as follows. Let X = x\ . . . x n 
be a sequence of n integers drawn from {1, . . . , n}, with n even. We are guaranteed that 
either 

(1) X is one-to-one (that is, a permutation of {1, ... , n}), or 

(2) X is two-to-one (that is, each element of {1, . . . , n} appears in X twice or not at all). 

The problem is to decide whether (1) or (2) holds. (A variant asks us to find a 
collision in a given two-to-one function. Clearly a lower bound for the collision problem as 
defined above implies an equivalent lower bound for this variant.) Because of its simplicity, 
the collision problem was widely considered a benchmark for our understanding of quantum 
query complexity. 

I will show that Q 2 (Col n ) = f2 (n 1 / 5 ), where Q 2 (/) is the bounded-error quantum 
query complexity of function /. The best known upper bound, due to Brassard, H0yer, 
and Tapp [BE], is O (n 1 / 3 ) (see Section Pi.l.lj) . Previously, though, no lower bound better 
than the trivial £1 (1) bound was known. How great a speedup quantum computers yield 
for the problem was apparently first asked by Rains |193j . 

Previous lower bound techniques failed for the problem because they depended on 
a function's being sensitive to many disjoint changes to the input. For example, Beals et al. 
[4*5] showed that for all total Boolean functions /, Q 2 (/) = O ^\A> S (ffj , where bs (/) is the 
block sensitivity, defined by Nisan |183j to be, informally, the maximum number of disjoint 
changes (to any particular input X) to which / is sensitive. In the case of the collision 
problem, though, every one-to-one input differs from every two-to-one input in at least n/2 
places, so the block sensitivity is O (1). Ambainis's adversary method [27] faces a related 
obstacle. In that method we consider the algorithm and input as a bipartite quantum 
state, and upper-bound how much the entanglement of the state can increase via a single 
query. But under the simplest measures of entanglement, it turns out that the algorithm 
and input can become almost maximally entangled after O (1) queries, again because every 
one-to-one input is far from every two-to-one input. 1 

1 More formally, the adversary method cannot prove any lower bound on Q 2 (/) better than RC(/), 
where RC (/) is the randomized certificate complexity of / (to be defined in Chapter |BJ. But for the 
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My proof is an adaptation of the polynomial method, introduced to quantum com- 
puting by Beals et al. [351 . Their idea was to reduce questions about quantum algorithms 
to easier questions about multivariate polynomials. In particular, if a quantum algorithm 
makes T queries, then its acceptance probability is a polynomial over the input bits of 
degree at most 2T. So by showing that any polynomial approximating the desired output 
has high degree, one obtains a lower bound on T. 

To lower-bound the degree of a multivariate polynomial, a key technical trick is to 
construct a related univariate polynomial. Beals et al. [IS], using a lemma due to Minsky 
and Papert |178j . replace a polynomial p(X) (where X is a bit string) by ^(|X|) (where 
\X\ denotes the Hamming weight of X), satisfying 

q(k)= EX p(X) 
\X\=k 

and deg (q) < deg (p) . 

Here I construct the univariate polynomial in a different way. I consider a uniform 
distribution over g-to-one inputs, where g might be greater than 2. Even though the 
problem is to distinguish g = 1 from g = 2, the acceptance probability must lie in the 
interval [0, 1] for all g, and that is a surprisingly strong constraint. I show that the 
acceptance probability is close to a univariate polynomial in g of degree at most 2T. I then 
obtain a lower bound by generalizing a classical approximation theory result of Ehlich and 
Zeller |lf)4j and Rivlin and Cheney 12011 . Much of the proof deals with the complication 
that g does not divide n in general. 

Shortly after this work was completed, Shi |218j improved it to give a tight lower 
bound of (n 1 / 3 ) for the collision problem, when the x% range from 1 to 3n/2 rather than 
from 1 to n. For a range of size n, his bound was f2 (n 1//4 ). Subsequently Kutin |161j 
and Ambainis [2H] showed a lower bound of f2 (ra 1 / 3 ) for a range of size n as well. By a 
simple reduction, these results imply a lower bound of fl (n 2 ^ 3 ) for the element distinctness 
problem — that of deciding whether there exist i ^ j such that The previous best 

known lower bound was O (n 1 / 2 ) , and at the time of Shi's work, the best known upper 
bound was O (ra 3//4 ), due to Buhrman et al. |77j . Recently, however, Ambainis [HOI gave a 
novel algorithm based on quantum walks that matches the n 2 / 3 lower bound. 

The chapter is organized as follows. Section lHTTl motivates the collision lower bound 
within quantum computing, pointing out connections to collision-resistant hash functions, 
the nonabelian hidden subgroup problem, statistical zero-knowledge, and information era- 
sure. Section [6.21 gives technical preliminaries, Section [6.31 proves the crucial fact that the 
acceptance probability is "almost" a univariate polynomial, and Section [6.41 completes the 
lower bound argument. I conclude in Section . 61 with some open problems. In Section lb .51 
I show a lower bound of (n 1 / 7 ) for the set comparison problem, a variant of the collision 
problem needed for the application to information erasure. 

collision function, RC (Coin) = O (1). 
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6.1 Motivation 

In Chapter ^ I listed seven implications of the collision lower bound; this section discusses a 
few of those implications in more detail. The implication that motivated me personally — 
concerning the computational power of so-called hidden-variable theories — is deferred to 
Chapter 1161 

6.1.1 Oracle Hardness Results 

The original motivation for the collision problem was to model (strongly) collision-resistant 
hash functions in cryptography. There is a large literature on collision-resistant hashing; 
see |2U11 R2] for example. When building secure digital signature schemes, it is useful to 
have a family of hash functions {Hi}, such that finding a distinct (x,y) pair with Hi (x) = 
Hi (y) is computationally intractable. A quantum algorithm for finding collisions using 
O (polylog (n)) queries would render all hash functions insecure against quantum attack 
in this sense. (Shor's algorithm |219| already renders hash functions based on modular 
arithmetic insecure.) My result indicates that collision-resistant hashing might still be 
possible in a quantum setting. 

The collision problem also models the nonabelian hidden subgroup problem, of 
which graph isomorphism is a special case. Given a group G and subgroup H < G, 
suppose we have oracle access to a function / : G — > N such that for all g\,g2 £ G, 
f (<7i) = f (92) if and only if g\ and 52 belong to the same coset of H. Is there then an 
efficient quantum algorithm to determine HI If G is abelian, the work of Simon |22U| . Shor 
219 , and Kitaev |152j implies an affirmative answer. If G is nonabelian, though, efficient 
quantum algorithms are known only for special cases jlL)5l 113^] . An O (polylog (n))-query 
algorithm for the collision problem would yield a polynomial-time algorithm to distinguish 
\H\ = 1 from \H\ = 2, which does not exploit the group structure at all. My result implies 
that no such algorithm exists. 

Finally, the collision lower bound implies that there exists an oracle relative to 
which SZK <f_ BQP, where SZK is the class of problems having statistical zero-knowledge 
proof protocols. For suppose that a verifier V and prover P both have oracle access to 
a sequence X = x\ . . . x<z"- , which is either one-to-one or two-to-one. To verify with zero 
knowledge that X is one-to-one, V can repeatedly choose an i Er {1, . . . , 2 n } and send xi to 
P, whereupon P must send i back to V. Thus, using standard diagonalization techniques, 
one can produce an oracle A such that SZK A <£_ BQP" 4 . 

6.1.2 Information Erasure 

Let / : {0, l} n — ► {0, l} m with m > n be a one-to-one function. Then we can consider two 
kinds of quantum oracle for /: 

(A) a standard oracle, one that maps \x) \z) to 
\x) \z © / (x)}, or 

(B) an erasing oracle (as proposed by Kashefi et al. |150| ). which maps \x) to \ f (x)), in 
effect "erasing" \x). 
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Intuitively erasing oracles seem at least as strong as standard ones, though it is 
not clear how to simulate the latter with the former without also having access to an oracle 
that maps \y) to (y)). The question that concerns us here is whether erasing oracles 
are more useful than standard ones for some problems. One-way functions provide a clue: 
if / is one-way, then (by assumption) \x) \f (x)) can be computed efficiently, but if \f (x)) 
could be computed efficiently given \x) then so could \x) given \f (x)), and hence / could be 
inverted. But can we find, for some problem, an exponential gap between query complexity 
given a standard oracle and query complexity given an erasing oracle? 

In Section 16.51 1 extend the collision lower bound to show an affirmative answer. 
Define the set comparison problem of size n, or SetComp n , as follows. We are given as input 
two sequences, X = x% . . . x n and Y = y\ . . . y n , such that for each i, Xi,yi £ {1, . . . , 2n}. 
A query has the form (b, i), where b £ {0, 1} and i E {1, . . . , n}, and produces as output 
(0, Xi) if b = and (1, y{) if b = 1. Sequences X and Y are both one-to-one; that is, Xi ^ Xj 
and yi ^ yj for all i ^ j. We are furthermore guaranteed that either 

(1) X and Y are equal as sets (that is, {x\, . . . , x n } = {y\, . . . , y n }) or 

(2) X and Y are far as sets (that is, 
|{xi, ... ,x n }U {y x , . . .,y n }\ > 1-ln). 

As before the problem is to decide whether (1) or (2) holds. 

This problem can be solved with high probability in a constant number of queries 
using an erasing oracle, by using a trick similar to that of Watrous |239j for verifying group 
non-membership. First, using the oracle, we prepare the uniform superposition 



1= E (10)1^ + 11)1^)) 



2n . , , 

ie{l,...,n} 

We then apply a Hadamard gate to the first register, and finally we measure the first register. 
If X and Y are equal as sets, then interference occurs between every (|0) \z) , |1) \z)) pair 
and we observe |0) with certainty. But if X and Y are far as sets, then basis states \b) \z) 
with no matching |1 — b) \z) have probability weight at least 1/10, and hence we observe |1) 
with probability at least 1/20. 

In Section fo. 51 1 sketch a proof that Q 2 (SetComp n ) = Q, (n 1 / 7 ); that is, no efficient 
quantum algorithm using a standard oracle exists for this problem. Recently, Midrijanis 
|176j gave a lower bound of ( (n/logn) 1 ^ 5 ) not merely for the set comparison problem, 



but for the set equality problem (where we are promised that X and Y are either equal or 
disjoint). 



6.2 Preliminaries 

Let A be a quantum query algorithm as defined in Section l5.ll A basis state of A is written 
\i, z). Then a query replaces each \i, z) by \i, z(B Xj), where Xi is exclusive-OR'ed into some 
specified location of z. Between queries, the algorithm can perform any unitary operation 
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that does not depend on the input. Let T be the total number of queries. Also, assume 
for simplicity that all amplitudes are real; this restriction is without loss of generality [S3] . 

Let afl (X) be the amplitude of basis state \i,z) after t queries when the input 
is X. Also, let A(xi,h) = 1 if Xi = h, and A(xj,/i) = if Xj ^ h. Let P (X) be the 
probability that A returns "two-to-one" when the input is X. Then we obtain a simple 
variant of a lemma due to Beals et al. |45j . 

Lemma 1 P (X) is a multilinear polynomial of degree at most 2T over the A (xj, h). 

Proof. We show, by induction on t, that for all basis states \i, z), the amplitude 
afl (X) is a multilinear polynomial of degree at most t over the A (xj, h). Since P (X) is 
a sum of squares of c^**'s, the lemma follows. 

The base case (t = 0) holds since, before making any queries, each afl is a degree- 

polynomial over the A {xi, h). A unitary transformation on the algorithm part replaces 
each afl by a linear combination of ctfl's, and hence cannot increase the degree. Suppose 
the lemma holds prior to the t th query. Then 

4i l) (X)= £ a^ h (X)A(x t ,h), 

l<h<n 

and we are done. ■ 

6.3 Reduction to Bivariate Polynomial 

Call the point (g,N) £ 3ft 2 an (n,T)-quasilattice point if and only if 

(1) g and N are integers, with g dividing N, 

(2) 1 < g < y/E, 

(3) n < N <n + n/ (10T), and 

(4) if g = 1 then N = n. 

For quasilattice point (g, N), define T> n (g, N) to be the uniform distribution over 
all size-n subfunctions of <?-to-l functions having domain {1, . . . , N} and range a subset 
of {1, . . . ,n}. More precisely: to draw an X from T> n (g,N), we first choose a set S C 
{1, . . . ,n} with \S\ = N/g < n uniformly at random. We then choose a g-to-1 function 
X = x\ . . . xn from {1, . . . , N} to S uniformly at random. Finally we let X{ = x, for each 

1 < i < n. 

Let P (g, N) be the probability that algorithm A returns z = 2 when the input is 
chosen from T> n (g, N): 

P(g,N)= EX \P(X)}. 
X<ET> n (g,N) 

We then have the following surprising characterization: 
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Lemma 2 For all sufficiently large n and ifT< y/n/3, there exists a bivariate polynomial 
q (g, N) of degree at most IT such that if (g, N) is a quasilattice point, then 

\P(g,N)-q(g,N)\ < 0.182 

(where the constant 0.182 can be made arbitrarily small by adjusting parameters). 

Proof. Let I be a product of A (xj, h) variables, with degree r (I), and let I (X) £ 
{0, 1} be / evaluated on input X. Then define 

l(I,g,N)= EX \HX)} 

XeV n (g,N) 

to be the probability that monomial / evaluates to 1 when the input is drawn from T> n (g, N). 
Then by Lemma Q P (X) is a polynomial of degree at most 2T over X, so 

P(g,N)= EX [P(X)\ 

Vy ' ' X£V n (g,N) 1 V JS 



EX 

X£V n (g,N) 



I:r(I)<2t 



I:r(I)<2T 

for some coefficients /3/. 

We now calculate j(I,g,N). Assume without loss of generality that for all 
A (xi, hi) , A (xj, /12) S /, either i ^ j or hi = /12, since otherwise 7 (I, g, iV) = 0. 

Define the "range" Z (I) of / to be the set of all h such that A (xj, h) £ /. Let 
u> (I) = |Z(/)|; then we write Z (I) = {zi, . . . , 2wn}- Clearly j(I,g,N) = unless 
Z (I) G S, where S is the range of X. By assumption, 

^>^>2T>r(/) 
g ^Jn 



so the number of possible S is ) and. of these, the number that contain Z is 

n — w (I) 
N/g -w {I), 

Then, conditioned on Z £ 5, what is the probability that 7 (I, g, iV) = 1? The 
total number of g-to-1 functions with domain size iV is N\/ (g\) N ^ 9 , since we can permute 
the N function values arbitrarily, but must not count permutations that act only within 
the N/g constant-value blocks of size g. 

Among these functions, how many satisfy 7 (I,g,N) = 1? Suppose that, for each 
1 < j < w (I), there are rj (I) distinct i such that A (xj, zf) G /. Clearly 

n (/) + •• . + r w(I) (I)=r(I). 
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Then we can permute the (N — r (/))! function values outside of / arbitrarily, but must not 
count permutations that act only within the N/g const ant- value blocks, which have size 
either g or g — n (I) for some i. So the number of functions for which 7 (/, g, N) = 1 is 



(N — r (/))! 



(50 

Putting it all together, 



N/g-w(l) tt w C0 



n — w (I) 
N/g - w (I) 



(N-r(I))\(g\f^ 



n 
N/g, 

(N-r(I))\(n-w(I))\(N/g)\ 



(glf/^N^ig-ram 



N\n\ (N/g-w(I))\ 



(N-r(I))\ (n- w(J))! 

(AT -2T)\n\ 
' N\ (n-2T)\ 



w{I)-l 



i=0 



N 



n T-on 



«;(/) 



i=l 



' ri(/)-l 

5 II (g-j) 

3=1 



Qn,T,I (9, N) 



where 



2T-1 



1 /mi/ nmw w{1) - 1 w(i)n(i)-i 

<TA9,N)= [n - w[I) ]r m - n (f-o n < w -»'<>n n 

v n ''' i=r(J) «=0 i=l j=l 

is a bivariate polynomial of total degree at most 

(2T - r (/)) + w (I) + (r (I) - w (/)) = 2T. 

(Note that in the case r$ (I) > 5 for some i, this polynomial evaluates to 0, which is what 
it ought to do.) Hence 

p(g,N)= Pn(i,g,N) 

I:r(I)<2T 

(N -2T)\n\ 



N\ (n-2T)\ 



q(g,N) 



where 



q(g,N)= Piq n ,T,i{g,N). 

I:r(I)<2T 



Clearly 



(N - 2T)\n\ 
N\ (n-2T)\ 



< 1. 
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Since N < n + n/ (10T) and T < y/n/3, we also have 



(N - 2T)\n\ ^ I n - 2T + 1 



2T 



N\{n-2T)\ ~ \N -2T + 1, 

1 n 



> exp 



5n- (2T + 1) jn 
> 0.818 

for all sufficiently large n. Thus, since < P (g, N) < 1, 

\P(g,N)-q(g,N)\ < 0.182 

and we are done. ■ 



6.4 Lower Bound 



We have seen that, if a quantum algorithm for the collision problem makes few queries, 
then its acceptance probability can be approximated by a low-degree bivariate polynomial. 
This section completes the lower bound proof by showing that no such polynomial exists. 
To do so, it generalizes an approximation theory result due to Rivlin and Cheney |204j and 
(independently) Ehlich and Zeller |104j . That result was applied to query complexity by 
Nisan and Szegedy j!84j and later by Beals et al. [IS] . 

Theorem 3 Q 2 (Col„) = O (n 1 / 5 ) . 

Proof. Let g have range 1 < g < G. Then the quasilattice points (g, N) all lie 
in the rectangular region R = [1, G] x [n, n + nj (10T)]. Recalling the polynomial q (g, N) 
from Lemma El define 



d(q) 



max max 



dq 



dg 



' 10T(G- 1) 



dq 



8N 



Suppose without loss of generality that we require 



1 9 

P(l,n)<— and P(2,n)> — 

(that is, algorithm A distinguishes 1-to-l from 2-to-l functions with error probability at 
most 1/10). Then, since 

\P(g,N)-q(g,N)\ < 0.182 

by elementary calculus we have 

d(q) > max ^ > 0.8 - 2 (0.182) = 0.436. 

i<3<2 og 

An inequality due to Markov (see [8*2* 1 H84j ) states that, for a univariate polynomial p, if 
b\ < p (x) < 62 for all a\ < x < a2, then 



max 

o[l]<a;<o[2] 



dp (x) 



dx 



< 



d2 — a\ 



bl deg (p) 2 . 
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Clearly for every point (jj, N^j G R, there exists a quasilattice point (g, N) for which 



\g — g\ < 1 and 



TV-TV 



< G. 



For take (7 = [5] — or, in the special case g = I, take g = 2, since there is only one quasilattice 
point with g = 1. Furthermore, since P (<?, TV) represents an acceptance probability at such 
a point, we have 

-0.182 <q(g,N) < 1.182. 



Observe that for all 



-0.182- 



flQTG(G- 1) 



n 



+ <q(g,N) < 1.182 + 



flOTG(G- 1) 



n 



+ 1 



For consider a quasilattice point close to ^g, iVJ , and note that the maximum- 
magnitude derivative is at most d(q) in the g direction and 10T (G — 1) d(q) jn in the N 
direction. 

Let (g*,N*) be a point in i? at which the weighted maximum- magnitude derivative 
d(q) is attained. Suppose first that the maximum is attained in the g direction. Then 
q (g, N*) (with N* constant) is a univariate polynomial with 



dq (g,N* 



dg 

for some 1 < g < G. So 

2T>deg(q(g,N*)) 

> 



> 0.436 



d(q) (G-1) 



1.364 + 2d (q) (1 + 10TG (G - 1) /n) 



o( mm {vc.^}) 



Similarly, suppose the maximum d (q) is attained in the N direction. Then 
q (g* , N) (with g* constant) is a univariate polynomial with 



dq (g*,N) 



dN 



> 



0.436T (G - 1) 



n 



for some n < N < n + n/(10T). So 

2T > 



(10T(G-l)/n)d(q)n/(WT) 



1.364 + 2d (q) (1 + 10TG (G - 1) /n) 
> $7 ( min 
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One can show that the lower bound on T is optimized when we take G = n 2 / 5 < 
y/n. Then 

T = Q (nV5) 

and we are done. ■ 

6.5 Set Comparison 

Here I sketch a proof that Q 2 (SetComp n ) = f2 (n 1 / 7 ) , where SetComp n is the set compari- 
son problem of size n as defined in Section [6.1.21 

The idea is the following. We need a distribution of inputs with a parameter g, 
such that the inputs are one-to-one when g = 1 or g = 2 — since otherwise the problem of 
distinguishing g = 1 from g = 2 would be ill-defined for erasing oracles. On the other 
hand, the inputs must not be one-to-one for all g > 2 — since otherwise the lower bound for 
standard oracles would apply also to erasing oracles, and we would not obtain a separation 
between the two. Finally, the acceptance probability must be close to a polynomial in g. 

The solution is to consider k (g)-to-one inputs, where 

k (g) = 4g 2 - 12g + 9. 

is a quadratic with k (1) = k (2) = 1. The total range of the inputs (on sequences X and 
Y combined) has size roughly n/g; thus, we can tell the g = 1 inputs apart from the g = 2 
inputs using an erasing oracle, even though k (g) is the same for both. The disadvantage is 
that, because k (g) increases quadratically rather than linearly in g, the quasilattice points 
become sparse more quickly. That is what weakens the lower bound from (n 1//5 ) to 
n (n 1/7 ) . Note that, using the ideas of Shi |218j . one can improve my lower bound on 
Q 2 (SetComp n ) to ftfra 1 / 6 ). 

Call (g,N,M) £ !R 3 an (n,T)- super- quasilattice point if and only if 

(1) g is an integer in [l^n 1 ' 3 ], 

(2) N and M are integers in [n,n(l + 1/ (100T))], 

(3) g divides N, 

(4) if g = 1 then N = n, 

(5) k (g) divides M, and 

(6) if g = 2 then M = n. 

For super-quasilattice point (g, N, M) , we draw input (X, Y) = [x\ . . . x n , y\ . . . y n ) 
from distribution C n (g,N,M) as follows. We first choose a set S C {l,...,2n} with 
| SI = 2N/g < 2n uniformly at random. We then choose two sets Sx,Sy Q S with 
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| Sx\ = \Sx\ = M/n(g) < \S\, uniformly at random and independently. Next we choose 
k (g)-l functions X = x\ . . . xjy : {1, . . . , M} — > Sx and Y = y\ . . .y/y : {1, . . . , M} — > Sy 
uniformly at random and independently. Finally we let x% = x~i and = % for each 
1 < i < n. 

Define sets X$ = {x\,...,x n } and Ys = {yi, . . . ,y n }. Suppose g = 1 and 
N = M = n; then by Chernoff bounds, 

Pr [\X S U Y s \ < l.ln] < 2e" n/1 °. 

(X,y)e£„(l,n,n) 

Thus, if algorithm A can distinguish |Xs U Ys\ = n from |Xs U Ys\ > l.ln with probability 
at least 9/10, then it can distinguish (X, Y) G C n (l,n, n) from (X, Y) £ £ n (2,n, n) with 
probability at least 9/10 — 2e _ra//10 . So a lower bound for the latter problem implies an 
equivalent lower bound for the former. 

Define P (X, Y) to be the probability that the algorithm returns that X and Y 
are far on input (X, Y), and let 

P(g,N,M)= EX [P(X,Y)\. 

(x,Y)eC n (g,N,M) 

We then have 

Lemma 4 For all sufficiently large n and ifT< n 1 / 3 /8, there exists a trivariate polynomial 
q (g, N, M) of degree at most 8T such that if (g, N, M) is a super- quasilattice point, then 

\P(g,N,M)-q(g,N,M)\<e 

for some constant < e < 1/2. 

Proof Sketch. By analogy to Lemma ^ P (X, Y) is a multilinear polynomial 
of degree at most 2T over variables of the form A(x{,h) and A(yi,h). Let I(X,Y) = 
Ix (X) Iy (Y) where Ix is a product of rx (I) distinct A (xj, h) variables and Iy is a product 
of ry (I) distinct A (yi, h) variables. Let r (I) = rx (I) + ry (I). Define 

7 (I,g,N,M)= EX \I(X,Y)]; 

then 

P(g,N,M)= YI 0ll(I,9,N,M) 

I:r(I)<2T 

for some coefficients Pi. We now calculate 7 (I,g,N,M). As before we assume there are 
no pairs of variables A (x{, hi) , A (xj, /12) £ / with h\^hi- Let Zx (I) be the range of Ix 
and let Zy (I) be the range of Iy. Then let Z {I) = Z x [I)UZ Y (I). Let w x (I) = \Z X (I)\, 
wy (I) = \Zy and w (I) = \Z By assumption 

N M 1 u , 
— > —r^- > -n 1/3 > 2T 
9 k{9) 4 
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so 



Pr [Z (I) C 5] 



/ 2n-w{I) 
\2N/g - w (I) 

( 2n ) 



The probabilities that Zx (I) Q Sx given Z (I) C S and Zy (I) C Sy given Z (I) C S can 
be calculated similarly. 

Let rx,i (I) , ■ ■ ■ , fx,w[x](i) (-0 be the multiplicities of the range elements in Zx (I), 

so that 

rx,i (-0 H h r x ,n,[x](7) (-0 = 00 • 

Then 

Pr [I* (X) | Z x (/) C S X ] = { - J! II (*(») "J") 

i=l j=0 

and similarly for Pr [Jy (Y) | Zy (J) C Sy]. 

Putting it all together and manipulating, we obtain (analogously to Lemma ^) 

that 

j(I,g,N,M) *q niT ,i(g,N,M) 

where q n T I (flS N, M) is a trivariate polynomial in (5, N, M) of total degree at most 8T. 
Thus 

P(g,N,M)^q(g,N,M) 

where q (g, N, M) is a polynomial of total degree at most 8T. The argument that q 
approximates P to within a constant is analogous to that of Lemma |2j ■ 

The remainder of the lower bound argument follows the lines of Theorem |3J 

Theorem 5 Q 2 (SetCompJ = fl (n 1 / 7 ). 

Proof Sketch. Let g £ [1,G] for some G < n 1 / 3 . Then the super-quasilattice 
points (g, N, M) all lie in R = [1, G] x [n,n + n/ (100T)] 2 . Define d(q) to be 



max 

(g,JV,M)ei? 



^max / 



dq 



0g 



ra/lOOT 
'(G = l) 



dq 



ON 



n/lOOT 
(G = l) 



9q 



<9M 



Then d(q) > 5 for some constant J > 0, by Lemma HJ 

For every point (<?, iV,M) £ R, there exists a super-quasilattice point (g,N,M) 



N -N 



such that \g — g\ < 1, 
deviate from [0, 1] by at most 



< G, and 



M-M 



< k(G). Hence, q[g, N, Mj can 



O 



( TG 3 
\ n 



+ l)d(q) 
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Let (g*,N*,M*) be a point in R at which d(q) is attained. Suppose d(q) is 
attained in the g direction; the cases of the N and M directions are analogous. Then 
q (g, N* , M*) is a univariate polynomial in g, and 



8T >deg (q(g,N*,M*)) 
= Q ^minjv^ 



TG 2 

One can show that the bound is optimized when we take G = n 2/7 < n 1 / 3 . Then 



T = n ( min I n l '\ 

VTn 2 / 7 



T = n (n 1 / 7 ) 



6.6 Open Problems 

In my original paper on the collision problem, I listed four open problems: improving the 
collision lower bound to Q (ra 1 / 3 ) ; showing any nontrivial quantum lower bound for the set 
equality problem; proving a time-space tradeoff lower bound for the collision problem; and 
deciding whether quantum query complexity and degree as a real polynomial are always 
asymptotically equal. Happily, three of these problems have since been resolved |161( I176| 
I28j . but the time-space tradeoff remains wide open. We would like to say (for example) 
that if a quantum computer is restricted to using O (logn) qubits, then it needs G (\/n) 
queries for the collision problem, ordinary Grover search being the best possible algorithm. 
Currently, we cannot show such a result for any problem with Boolean output, only for 
problems such as sorting with a large non-Boolean output |156j . 

Another problem is to give an oracle relative to which SZK <f_ QMA, where QMA 
is Quantum Merlin Arthur as defined in |2.'ffl| . In other words, show that if a function is 
one-to-one rather than two-to-one, then this fact cannot be verified using a small number 
of quantum queries, even with the help of a succinct quantum proof. 

Finally, is it the case that for all (partial or total) functions / that are invariant 
under permutation symmetry, R2 (/) and Q 2 (/) are polynomially related? 
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Chapter 7 

Local Search 



This chapter deals with the following problem. 

Local Search. Given an undirected graph G = (V, E) and function f : V — ► N, 
find a local minimum of f — that is, a vertex v such that f (v) < f (w) for all neighbors w 
of v. 

We will be interested in the number of queries that an algorithm needs to solve 
this problem, where a query just returns / (v) given v. We will consider deterministic, 
randomized, and quantum algorithms. Section \7. II motivates the problem theoretically and 
practically; this section explains the results. 

First, though, we need some simple observations. If G is the complete graph of 
size N, then clearly Q (N) queries are needed to find a local minimum (or 0, (v^V^ with 
a quantum computer). At the other extreme, if G is a line of length N, then even a 
deterministic algorithm can find a local minimum in O (log N) queries, using binary search: 
query the middle two vertices, v and w. If f (v) < f(w), then search the line of length 
(N — 2) /2 connected to v; otherwise search the line connected to w. Continue recursively 
in this manner until a local minimum is found. 

So the interesting case is when G is a graph of 'intermediate' connectedness: for 
example, the Boolean hypercube {0, l} n , with two vertices adjacent if and only if they have 
Hamming distance 1. For this graph, Llewellyn, Tovey, and Trick \169j showed a £1 (2 n /y / n) 
lower bound on the number of queries needed by any deterministic algorithm, using a simple 
adversary argument. Intuitively, until the set of vertices queried so far comprises a vertex 
cut (that is, splits the graph into two or more connected components), an adversary is free 
to return a descending sequence of /-values: / (v\) = 2 n for the first vertex v\ queried by 
the algorithm, / (i^) = 2™ — 1 for the second vertex queried, and so on. Moreover, once the 
set of queried vertices does comprise a cut, the adversary can choose the largest connected 
component of unqueried vertices, and restrict the problem recursively to that component. 
So to lower-bound the deterministic query complexity, it suffices to lower-bound the size 
of any cut that splits the graph into two reasonably large components. 1 For the Boolean 
hypercube, Llewellyn et al. showed that the best one can do is essentially to query all 
(2 n / \/n) vertices of Hamming weight n/2. 

1 Llewellyn et al. actually give a tight characterization of deterministic query complexity in terms of vertex 
cuts. 
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Llewellyn et al.'s argument fails completely in the case of randomized algorithms. 
By Yao's minimax principle, what we want here is a fixed distribution T> over functions 
/ : {0, l} n — > N, such that any deterministic algorithm needs many queries to find a local 
minimum of /, with high probability if / is drawn from D. Taking T> to be uniform will 
not do, since a local minimum of a uniform random function is easily found. However, 
Aldous [2H had the idea of defining V via a random walk, as follows. Choose a vertex 
Vo 6 {0, l} n uniformly at random; then perform an unbiased walk 2 Vq, v\, v%, . . . starting 
from vq. For each vertex v, set / (v) equal to the first hitting time of the walk at v — 
that is, / (v) = min{i : vt = v}. Clearly any / produced in this way has a unique local 
minimum at vq, since for all t > 0, if vertex vt is visited for the first time at step t then 
f ( v t) > f (vt-i). Using sophisticated random walk analysis, Aldous managed to show 
a lower bound of 2 n / 2 ~°( n ) on the expected number of queries needed by any randomized 
algorithm to find vq. s (As we will see in Section 17.21 this lower bound is close to tight.) 
Intuitively, since a random walk on the hypercube mixes in O (nlogn) steps, an algorithm 
that has not queried a v with / (v) < 2 n / 2 has almost no useful information about where 
the unique minimum vq is, so its next query will just be a "stab in the dark." 

However, Aldous's result leaves several questions about Local Search unan- 
swered. What if the graph G is a 3-D cube, on which a random walk does not mix very 
rapidly? Can we still lower-bound the randomized query complexity of finding a local 
minimum? More generally, what parameters of G make the problem hard or easy? Also, 
what is the quantum query complexity of Local Search? 

This chapter presents a new approach to Local Search, which I believe points the 
way to a complete understanding of its complexity. The approach is based on Ambainis's 
quantum adversary method [27]. Surprisingly, the approach yields new and simpler lower 
bounds for the problem's classical randomized query complexity, in addition to quantum 
lower bounds. Thus, along with recent work by Kerenidis and de Wolf |151j and by 
Aharonov and Regev [221 > the results of this chapter illustrate how quantum ideas can help 
to resolve classical open problems. 

The results are as follows. For the Boolean hypercube G = {0, l} n , I show that 
any quantum algorithm needs f2 (2 n / 4 /n) queries to find a local minimum on G, and any 
randomized algorithm needs (2 n / 2 /n 2 ) queries (improving the 2 n / 2_ °( n ) lower bound of 
Aldous [21] )■ The proofs are elementary and do not require random walk analysis. By 
comparison, the best known upper bounds are O (2 n/ ' 3 n 1 / 6 ) for a quantum algorithm and 
O {2 n l 2 yjn) for a randomized algorithm. If G is a d-dimensional grid of size iV 1 ^ x 
• • • x N 1 /' 1 , where d > 3 is a constant, then I show that any quantum algorithm needs 

queries to find a local minimum on G, and any randomized algorithm 

needs O (jV 1 / 2 - 1 /^/ log N) queries. No nontrivial lower bounds (randomized or quantum) 
were previously known in this case. 4 

In a preprint discussing these results, I raised as my "most ambitious" conjecture 
that the deterministic and quantum query complexities of local search are polynomially 
related for every family of graphs. At the time, it was not even known whether deterministic 

2 Actually, Aldous used a continuous-time random walk, so the functions would be from {0, 1}™ to R. 
independently and much later, Droste et al. |99| showed the weaker bound 2 3< - n ^ for any g (n) = o (n). 
4 A lower bound on deterministic query complexity was known for such graphs |168| . 
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and randomized query complexities were polynomially related, not even for simple examples 
such as the 2-dimensional square grid. Subsequently Santha and Szegedy |211j spectacularly 
resolved the conjecture, by showing that the quantum query complexity is always at least 
the 19 th root (!) of the deterministic complexity. On the other hand, in the specific case of 
the hypercube, my lower bound is close to tight; Santha and Szegedy's is not. Also, I give 
randomized lower bounds that are quadratically better than my quantum lower bounds; 
Santha and Szegedy give only quantum lower bounds. 

In another recent development, Ambainis [23] has improved the f2 (2 n / 4 /n) quan- 
tum lower bound for local search on the hypercube to 2 n / 3 /n°( l \ using a hybrid argument. 
Note that Ambainis's lower bound matches the upper bound up to a polynomial factor. 

The chapter is organized as follows. Section [23 motivates lower bounds on Local 
Search, pointing out connections to simulated annealing, quantum adiabatic algorithms, 
and the complexity class TFNP of total function problems. Section IV. 21 defines notation and 
reviews basic facts about Local Search, including upper bounds. In Section 1731 1 give 
an intuitive explanation of Ambainis's quantum adversary method, then state and prove a 
classical analogue of Ambainis's main lower bound theorem. Section IV. 41 introduces snakes, 
a construction by which I apply the two adversary methods to Local Search. I show 
there that to prove lower bounds for any graph G, it suffices to upper-bound a combinatorial 
parameter e of a 'snake distribution' on G. Section 17.51 applies this framework to specific 
examples of graphs: the Boolean hypercube in Section 17.5.11 and the d-dimensional grid in 
Section 173^1 

7.1 Motivation 

Local search is the most effective weapon ever devised against hard optimization problems. 
For many real applications, neither backtrack search, nor approximation algorithms, nor 
even Grover's algorithm can compare. Furthermore, along with quantum computing, local 
search (broadly defined) is one of the most interesting links between computer science and 
Nature. It is related to evolutionary biology via genetic algorithms, and to the physics of 
materials via simulated annealing. Thus it is both practically and scientifically important 
to understand its performance. 

The conventional wisdom is that, although local search performs well in practice, 
its central (indeed defining) flaw is a tendency to get stuck at local optima. If this were 
correct, one corollary would be that the reason local search performs so well is that the 
problem it really solves — finding a local optimum — is intrinsically easy. It would thus be 
unnecessary to seek further explanations for its performance. Another corollary would be 
that, for unimodal functions (which have no local optima besides the global optimum), the 
global optimum would be easily found. 

However, the conventional wisdom is false. The results of Llewellyn et al. 169 
and Aldous [23] show that even if / is unimodal, any classical algorithm that treats / as a 
black box needs exponential time to find the global minimum of / in general. My results 
extend this conclusion to quantum algorithms. In my view, the practical upshot of these 
results is that they force us to confront the question: What is it about 'real-world' problems 
that makes it easy to find a local optimum? That is, why do exponentially long chains 
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of descending values, such as those used for lower bounds, almost never occur in practice, 
even in functions with large range sizes? One possibility is that the functions that occur in 
practice look "globally" like random functions, but I do not know whether that is true in 
any meaningful sense. 

The results of this chapter are also relevant for physics. Many physical sys- 
tems, including folding proteins and networks of springs and pulleys, can be understood as 
performing 'local search' through an energy landscape to reach a locally-minimal energy 
configuration. A key question is, how long will the system take to reach its ground state 
(that is, a globally-minimal configuration)? Of course, if there are local optima, the sys- 
tem might never reach its ground state, just as a rock in a mountain crevice does not roll 
to the bottom by going up first. But what if the energy landscape is unimodal? And 
moreover, what if the physical system is quantum? My results show that, for certain en- 
ergy landscapes, even a quantum system would take exponential time to reach its ground 
state, regardless of what external Hamiltonian is applied to "drive" it. So in particular, 
the quantum adiabatic algorithm proposed by Farhi et al. 106 , which can be seen as a 
quantum analogue of simulated annealing, needs exponential time to find a local minimum 
in the worst case. 

Finally, this chapter's results have implications for so-called total function problems 
in complexity theory. Megiddo and Papadimitriou |174j defined a complexity class TFNP, 
consisting (informally) of those NP search problems for which a solution always exists. 
For example, we might be given a function / : {0, l} n — ► {0, l} n_1 as a Boolean circuit, 
and asked to find any distinct x,y pair such that / (x) = / (y). This particular problem 
belongs to a subclass of TFNP called PPP (Polynomial Pigeonhole Principle). Notice that 
no promise is involved: the combinatorial nature of the problem itself forces a solution to 
exist, even if we have no idea how to find it. In a recent talk, Papadimitriou |187j asked 
broadly whether such 'nonconstructive existence problems' might be good candidates for 
efficient quantum algorithms. In the case of PPP problems like the one above, the collision 
lower bound of Chapter implies a negative answer in the black-box setting. For other 
subclasses of TFNP, such as PODN (Polynomial Odd-Degree Node), a quantum black-box 
lower bound follows easily from the optimality of Grover's search algorithm. 

However, there is one important subclass of TFNP for which no quantum lower 
bound was previously known. This is PLS (Polynomial Local Search), defined by Johnson, 
Papadimitriou, and Yannakakis |149j as a class of optimization problems whose cost function 
/ and neighborhood function n (that is, the set of neighbors of a given point) are both 
computable in polynomial time. 5 Given such a problem, the task is to output any local 
minimum of the cost function: that is, a v such that / (v) < f (w) for all w G r] (v). The 
lower bound of Llewellyn et al. |169| yields an oracle A relative to which FP A ^ PLS" 4 , 
by a standard diagonalization argument along the lines of Baker, Gill, and Solovay |41j . 
Likewise, the lower bound of Aldous f23] yields an oracle relative to which PLS <£_ FBPP, 
where FBPP is simply the function version of BP P. The results of this chapter yield the 
first oracle relative to which PLS <f_ FBQP. In light of this oracle separation, I raise an 

Some authors require only the minimum neighbor of a given point to be computable in polynomial 
time, which does not seem like the "right" idealization to me. In any case, for lower bound purposes we 
always assume the algorithm knows the whole neighborhood structure in advance, and does not need to 
make queries to learn about it. 
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admittedly vague question: is there a nontrivial "combinatorial" subclass of TFNP that we 
can show is contained in FBQP? 

7.2 Preliminaries 

In the Local Search problem, we are given an undirected graph G = (V, E) with N = |V|, 
and oracle access to a function / : V — > N. The goal is to find any local minimum of /, 
defined as a vertex v £ V such that f (v) < f (w) for all neighbors w of v. Clearly such a 
local minimum exists. We want to find one using as few queries as possible, where a query 
returns / (v) given v. Queries can be adaptive; that is, can depend on the outcomes of 
previous queries. We assume G is known in advance, so that only / needs to be queried. 
Since we care only about query complexity, not computation time, there is no difficulty in 
dealing with an infinite range for / — though for lower bound purposes, it will turn out that 
a range of size O (^y/WTj suffices. I do not know of any case where a range larger than this 
makes the Local Search problem harder, but I also do not know of a general reduction 
from large to small range. 

The model of query algorithms is the standard one. Given a graph G, the 
deterministic query complexity of Local Search on G, which we denote DLS(G), is 
minp maxj T (T, /, G) where the minimum ranges over all deterministic algorithms T, the 
maximum ranges over all /, and T (T, /, G) is the number of queries made to / by T before 
it halts and outputs a local minimum of / (or oo if T fails to do so) . The randomized query 
complexity RLS (G) is defined similarly, except that now the algorithm has access to an 
infinite random string R, and must only output a local minimum with probability at least 
2/3 over R. For simplicity, one can assume that the number of queries T is the same for 
all R; clearly this assumption changes the complexity by at most a constant factor. 

In the quantum model, an algorithm's state has the form J2v z s a v,z,s \v, z, s), 
where v is the label of a vertex in G, and z and s are strings representing the answer register 
and workspace respectively. The a v ^ z ^s are complex amplitudes satisfying z s I Q»,2,s 1 2 = 
1. Starting from an arbitrary (fixed) initial state, the algorithm proceeds by an alternating 
sequence of queries and algorithm steps. A query maps each \v,z,s) to \v, z © / (v) , s), 
where © denotes bitwise exclusive-OR. An algorithm step multiplies the vector of a„ !Z)S 's 
by an arbitrary unitary matrix that does not depend on /. Letting A4f denote the set of 
local minima of /, the algorithm succeeds if at the end ^2 V z s . ve j^ \a V)ZtS \ 2 > |. Then the 
bounded-error quantum query complexity, or QLS (G), is defined as the minimum number 
of queries used by a quantum algorithm that succeeds on every /. 

It is immediate that QLS (G) < RLS (G) < DLS (G) < N. Also, letting 5 be the 
maximum degree of G, we have the following trivial lower bound. 

Proposition 6 RLS (G) = Q (5) and QLS (G) = Q (v 7 ^) . 

Proof. Let v be a vertex of G with degree 5. Choose a neighbor w of v uniformly 
at random, and let f (w) = 1. Let / (v) = 2, and f (u) =3 for all neighbors u of v 
other than w. Let S be the neighbor set of v (including v itself); then for all x ^ S, 
let f (x) = 3 + A (x, S) where A (x, S) is the minimum distance from x to a vertex in S. 
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Clearly / has a unique local minimum at w. However, finding y requires exhaustive search 
among the 5 neighbors of v, which takes f2 c L uan ^ VLm queries by Bennett et al. jSJ. ■ 

A corollary of Proposition El is that classically, zero-error randomized query com- 
plexity is equivalent to bounded-error up to a constant factor. For given a candidate local 
minimum v , one can check using O (8) queries that v is indeed a local minimum. Since 
(5) queries are needed anyway, this verification step does not affect the overall complexity. 

As pointed out by Aldous a classical randomized algorithm can find a local 

minimum of / with high probability in O (V Nd^j queries. The algorithm just queries V N8 

vertices uniformly at random, and lets vq be a queried vertex for which / (v) is minimal. 
It then follows vq to a local minimum by steepest descent. That is, for t = 0, 1,2, . . ., it 
queries all neighbors of vt, halts if vt is a local minimum, and otherwise sets vt+i to be the 
neighbor w of vt for which / (w) is minimal (breaking ties by lexicographic ordering). A 
similar idea yields an improved quantum upper bound. 

Proposition 7 For any G, QLS (G) = O (N^S 1 / 6 ) . 

Proof. The algorithm first chooses jV 2 / 3 ^ 1 / 3 vertices of G uniformly at random, 
then uses Grover search to find a chosen vertex vq for which / (v) is minimal. By a result of 
Diirr and H0yer |1U2| . this can be done with high probability in O (./V 1 / 3 ^ 1 / 6 ) queries. Next, 
for t = 0, 1,2, . . ., the algorithm performs Grover search over all neighbors of Vt, looking 
for a neighbor w such that / (w) < f (vt). If it finds such a w, then it sets Vt+i ■= w and 
continues to the next iteration. Otherwise, it repeats the Grover search log (N/5) times 
before finally giving up and returning vt as a claimed local minimum. 

The expected number of u such that f (u) < f (vq) is at most N/ (iV 2 / 3 ^ 1 / 3 ) = 
(N/8) 1 / 3 . Since / (ut+i) < / (vt) for all t, clearly the number of such u provides an upper 
bound on t. Furthermore, assuming there exists a w such that / (w) < f (vt), the expected 
number of repetitions of Grover's algorithm until such a w is found is 0(1). Since each 

repetition takes O queries, by linearity of expectation the total expected number of 

queries used by the algorithm is therefore 

O (V 1/3 5 1/6 + (N/S) 1/3 \T5 + log (N/8) Vtj 

or 0{N 1 W 6 ). To see that the algorithm finds a local minimum with high probability, 
observe that for each t, the probability of not finding a w such that / (w) < f (vt), given 
that one exists, is at most c —1 ° s ^/^ < (8/N) 1 / 3 /10 for a suitable constant c. So by 
the union bound, the probability that the algorithm returns a 'false positive' is at most 
(N/8) 1/3 ■ (5 /N) 1/3 /10 = 1/10. ■ 

7.3 Relational Adversary Method 

There are essentially two known methods for proving lower bounds on quantum query 
complexity: the polynomial method of Beals et al. [ini> and the quantum adversary method 
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of Ambainis |27|. 6 For a few problems, such as the collision problem pi l218| . the polynomial 
method succeeded where the adversary method failed. However, for problems that lack 
permutation symmetry (such as Local Search), the adversary method has proven more 
effective. 7 

How could a quantum lower bound method possibly be applied classically? When 
proving randomized lower bounds, the tendency is to attack "bare-handed": fix a distri- 
bution over inputs, and let xi,...,xt be the locations queried so far by the algorithm. 
Show that for small t, the posterior distribution over inputs, conditioned on x\, ... ,xt, is 
still 'hard' with high probability — so that the algorithm knows almost nothing even about 
which location xt+i to query next. This is essentially the approach taken by Aldous [21] 
to prove a 2 n / 2 ~°^ lower bound on RLS ({0, 1}"). 

In the quantum case, however, it is unclear how to specify what an algorithm 
'knows' after a given number of queries. So we are almost forced to step back, and identify 
general combinatorial properties of input sets that make them hard to distinguish. Once 
we have such properties, we can then try to exhibit them in functions of interest. 

We will see, somewhat surprisingly, that this "gloved" approach is useful for clas- 
sical lower bounds as well as quantum ones. In the relational adversary method, we assume 
there exists a T-query randomized algorithm for function F. We consider a set A of 0- 
inputs of F, a set B of 1-inputs, and an arbitrary real-valued relation function R (A, B) > 
for A G A and B G B. Intuitively, R (A, B) should be large if A and B differ in only a few 
locations. We then fix a probability distribution T> over inputs; by Yao's minimax principle, 
there exists a T-query deterministic algorithm T* that succeeds with high probability on 
inputs drawn from V. Let Wa be the set of 0-inputs and Wb the set of 1-inputs on which 
r* succeeds. Using the relation function R, we define a separation measure S between Wa 
and Wb, and show that (1) initially S = 0, (2) by the end of the computation S must be 
large, and (3) S increases by only a small amount as the result of each query. It follows 
that T must be large. 

The advantage of the relational method is that converts a "dynamic" opponent — 
an algorithm that queries adaptively — into a relatively static one. It thereby makes it 
easier to focus on what is unique about a problem, aspects of query complexity that are 
common to all problems having been handled automatically. Furthermore, one does not 
need to know anything about quantum computing to understand and apply the method. 
On the other hand, I have no idea how one would come up with it in the first place, without 
Ambainis's quantum adversary method |27| and the reasoning about entanglement that led 
to it. 

The starting point is the "most general" adversary theorem in Ambainis's original 
paper (Theorem 6 in |27|). which he introduced to prove a quantum lower bound for the 
problem of inverting a permutation. Here the input is a permutation a {!),... ,a (N), and 
the task is to output if a^ 1 (1) < N/2 and 1 otherwise. To lower-bound this problem's 
query complexity, what we would like to say is this: 

Given any 0-input a and any location x, if we choose a random 1-input r that is 

6 I am thinking here of the hybrid method |51| as a cousin of the adversary method. 

7 Indeed, Ambainis |28| has given problems for which the adversary method provably yields a better lower 
bound than the polynomial method. 
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'related' to a, then the probability 0(o~,x) over r that a (x) does not equal r (x) is small. 
In other words, the algorithm is unlikely to distinguish a from a random neighbor r of o 
by querying x. 

Unfortunately, the above claim is false. Letting x = <t _1 (1), we have that a (x) ^ 
t (x) for every 1-input r, and thus 8 {a, x) = 1. Ambainis resolves this difficulty by letting 
us take the maximum, over all 0-inputs a and 1-inputs r that are related and differ at x, 
of the geometric mean w 8 {a, x) 8 (r, x). Even if 8 (a,x) = 1, the geometric mean is still 
small provided that 8 (t, x) is small. More formally: 

Theorem 8 (Ambainis) Let A C F^ 1 (0) and B C F^ 1 (1) be sets of inputs to function 
F. Let R (A, B) > be a symmetric real-valued function, and for A £ A, B £ B, and 
location x, let 



8{A,x) 
8(B,x) 



J2b*gB : A(x)^B*(x) R (A B *) 

E A * eA R(A*,B) 



where the denominators are all nonzero. Then the number of quantum queries needed to 
evaluate F with at least 9/10 probability is Q(l/v geom ), where 



u E eom = rnax v (A, x) 8 (B, x). 

AeA, B&B, x : R(A,B)>0, A{x)^B{x) 

The best way to understand Theorem |H] is to see it used in an example. 
Proposition 9 (Ambainis) The quantum query complexity of inverting a permutation is 

n ( v 7 ^ 



Proof. Let A be the set of all permutations a such that cr _1 (1) < N/2, and B be 
the set of permutations r such that r _1 (1) > N/2. Given a G A and r € B, let R (a, r) = 1 
if a and r differ only at locations a" 1 (1) and r _1 (1), and R(o~,t) = otherwise. Then 
given o~,t with R{a,r) = 1, if x ^ cr _1 (1) then 8 (o~,x) = 2/N, and if x ^ r _1 (1) then 
8 (r, x) = 2/N. So max, . c ( x )^t(x) V d (^x)6(t,x) = y/2/N. ■ 

The only difference between Theorem |S] and my relational adversary theorem is 
that in the latter, we take the minimum of 8{A,x) and 8{B,x) instead of the geometric 
mean. Taking the reciprocal then gives up to a quadratically better lower bound: for 
example, we obtain that the randomized query complexity of inverting a permutation is 
O (N). However, the proofs of the two theorems are quite different. 

Theorem 10 Let A, B, R,8 be as in Theorem^ Then the number of randomized queries 
needed to evaluate F with at least 9/10 probability is Q(l/v m i n ), where 

v m i n = max min {8 {A, x) , 8 (B, x)} . 

AeA, BeB, x : R(A,B)>0, A{x)^B(x) 
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Proof. Let T be a randomized algorithm that, given an input A, returns F {A) 
with at least 9/10 probability. Let T be the number of queries made by T. For all A G A, 
B €B, define 

M(A) = Y, R{A,B*) , 
B*eB 

M(B)= Y R(A*,B), 
A*eA 

m = y M ( A *) = Yl M (■ B *) • 

A*<=A B*<=B 

Now let T>a be the distribution over A G A in which each A is chosen with probability 
M {A) /M; and let T>b be the distribution over B G B in which each I? is chosen with 
probability M (B) /M. Let T> be an equal mixture of T>a and T>b- By Yao's minimax 
principle, there exists a deterministic algorithm T* that makes T queries, and succeeds with 
at least 9/10 probability given an input drawn from V. Therefore T* succeeds with at least 
4/5 probability given an input drawn from T>a alone, or from T>b alone. In other words, 
letting Wa be the set of A G A and Wb the set of B G B on which T* succeeds, we have 

Y M(A)>^M, Y M(B)>^M. 
AeW A ' BeW B 

Define a predicate (A, B), which is true if T* has distinguished A G A from B G B by 
the t th query and false otherwise. (To distinguish A from B means to query an index x 
for which A (x) / B (x), given either A or B as input.) Also, for all Aei, define a score 
function 

S®(A)= Yl R(A,B*). 

B*eB : P( t )(A,B*) 

This function measures how much "progress" has been made so far in separating A from 
£>-inputs, where the £>-inputs are weighted by R (A, B). Similarly, for all B G B define 

S^(B)= Y R(A*,B). 

A*eA : P(*)(A*,B) 

It is clear that for all t, 

£ S (<) {A) = £ SW (5) . 
BeB 

So we can denote the above sum by and think of it as a global progress measure. The 
proof relies on the following claims about S^: 



(i) = initially. 

(ii) > 3M/5 by the end. 

(iii) ASW < 3v min M for all i, where AS^ = 
increases as the result of a single query. 



Si*) - S^- 1 ) is the amount by which 
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It follows from (i)-(iii) that 

3M/5 



T > 



3^min-^ 5f m i n 

which establishes the theorem. Part (i) is obvious. For part (ii), observe that for every 
pair (A, B) with A G Wa and B G Wb, the algorithm T* must query an x such that 
A{x)^B(x). Thus 

S {T) > Yl R ( A ' B ) 

AeW A , BdW B 

>^M - \m. 
5 5 

It remains only to show part (hi). Suppose AS® > 3v m i n M for some t; we will obtain a 
contradiction. Let 

AS® (A) = S® {A) - {A) , 

and let C A be the set of A G A for which AS® (A) > v min M (A). Since 

Y A S® ( A ) = ^S® > 3t> min M, 
AeA 

it follows by Markov's inequality that 

Y AS®(A)>^AS®. 

Aec A 

Similarly, if we let C B be the set of B G B for which AS® (B) > v min M (B), we have 

Y AS®(B)>-AS®. 

Bec B 

In other words, at least 2/3 of the increase in comes from (A,B) pairs such that 
A G Ca, and at least 2/3 comes from (A,B) pairs such that B G Cb- Hence, by a 
'pigeonhole' argument, there exists an A G and .B G Cb with R(A,B) > that are 
distinguished by the t th query. In other words, there exists an x with A (x) ^ B (x), such 
that the t th index queried by T* is x whether the input is A or B. Then since A G C A , we 
have v min M (A) < AS® (A), and hence 

AS® (A) 



^min ^ 



< 



M (A) 

Y,B*eB : A(x)^B*(x) R (A B *) 



which equals (A, a;). Similarly -u mm < 9(B,x) since i? G Cb. This contradicts the 
definition 

u m i n = max min{0 (A, x) , (B, x)} , 

AeA, BeB, x : R(A,B)>0, A{x)^B{x) 

and we are done. ■ 
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7.4 Snakes 

For the lower bounds, it will be convenient to generalize random walks to arbitrary distri- 
butions over paths, which we call snakes. 

Definition 11 Given a vertex h in G and a positive integer L, a snake distribution T>h,L 
(parameterized by h and L) is a probability distribution over paths (xq, . . . , Xl-\) in G, such 
that each xt is either equal or adjacent to xt+i, and xl-i = h. Let D^l be the support of 
T>h,L- Then an element of D^l is called a snake; the part near xo is the tail and the part 
near xl-i = h is the head. 

Given a snake X and integer t, we use X [t] as shorthand for {xq,, . . . , xt}. 

Definition 12 We say a snake X G Dh,L *s £-good if the following holds. Choose j 
uniformly at random from {0, ... ,L— 1}, and let Y = (yo, • • • -iVl-x) be a snake drawn 
from T>hL conditioned on xt = yt for all t > j. Then 

(i) Letting Sx,y be the set ofverticesv inXVY such thatmin{t : xt = v } = min{t : y t = v}, 
we have 

Pv[X HY = S X y}> 9/10. 

3,Y 

(it) For all vertices v, Pij-y [v G Y [j]] < e. 

The procedure above — wherein we choose a j uniformly at random, then draw a 
Y from T>h,L consistent with X on all steps later than j — will be important in what follows. 
I call it the snake X flicking its tail. Intuitively, a snake is good if it is spread out fairly 
evenly in G — so that when it flicks its tail, (1) with high probability the old and new tails 
do not intersect, and (2) any particular vertex is hit by the new tail with probability at 
most e. 

I now explain the 'snake method' for proving lower bounds for Local Search. 
Given a snake X, we define an input fx with a unique local minimum at x®, and /-values 
that decrease along X from head to tail. Then, given inputs fx and fy with XnY = Sx,y, 
we let the relation function R(fx,fy) be proportional to the probability that snake Y is 
obtained by X flicking its tail. (If X fl Y ^ Sx,Y we let R = 0.) Let fx and gy be inputs 
with R (/x,9y) > 0, and let v be a vertex such that fx (w) ^ gy (v). Then if all snakes 
were good, there would be two mutually exclusive cases: (1) v belongs to the tail of X, or 
(2) v belongs to the tail of Y. In case (1), v is hit with small probability when Y flicks 
its tail, so 9 (fy,v) is small. In case (2), v is hit with small probability when X flicks its 
tail, so 9 (fx,v) is small. In either case, then, the geometric mean \J 9 (fx,v) & (JyVv) and 
minimum min {9 (fxi v ) > & (/y> v )} are small. So even though 9 (fx, v ) or $ (fY,v) could be 
large individually, Theorems IH1 and 1101 yield a good lower bound, as in the case of inverting 
a permutation (see Figure 7.1). 

One difficulty is that not all snakes are good; at best, a large fraction of them are. 
We could try deleting all inputs fx such that X is not good, but that might ruin some 
remaining inputs, which would then have fewer neighbors. So we would have to delete 
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Figure 7.1: For every vertex v such that fx (v) 7^ fy (v), either when snake X flicks its 
tail v is not hit with high probability, or when snake Y flicks its tail v is not hit with high 
probability. 



those inputs as well, and so on ad infinitum. What we need is basically a way to replace 
"all inputs" by "most inputs" in Theorems IH1 and 1101 

Fortunately, a simple graph-theoretic lemma can accomplish this. The lemma (see 
Diestel P-6] for example) says that any graph with average degree at least k contains an 
induced subgraph with minimum degree at least k/2. Below I prove a weighted analogue 
of the lemma. 

Lemma 13 Let p (1) , . . . ,p (m) be positive reals summing to 1. Also let w (i,j) for i,j £ 
{1, ...,m} be nonnegative reals satisfying w(i,j) = w(j,i) and Ylij w (hj) — r - Then 
there exists a nonempty subset U C {l,...,m} such that for all i G U, YljeU w (hi) — 
rp (i) /2. 

Proof. If r = then the lemma trivially holds, so assume r > 0. We construct 
U via an iterative procedure. Let U (0) = {1, . . . , m}. Then for all t, if there exists an 
i* £ U (t) for which 

then set U (t + 1) = U (t)\{i*}. Otherwise halt and return U = U (t). To see that the U so 
constructed is nonempty, observe that when we remove i* , the sum YlieU<t)P(.^) decreases 
by p (i*), while ^ jeutt) w (*>•?') decreases by at most 

j&u{t) jeu(t) 

So since Yli,jeu(t) w (.hj) was positive to begin with, it must still be positive at the end of 
the procedure; hence U must be nonempty. ■ 

I can now prove the main result of the section. 
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Theorem 14 Suppose a snake drawn from T>h,L i> s £-good with probability at least 9/10. 
Then 

RLS (G) = n (1/e) , QLS (G) = ft (yfije) ■ 

Proof. Given a snake X E Dh,L, we construct an input function fx as follows. 
For each v £ X, let /x (i>) = min {t : xt = v}; and for each v ^ X, let /x (v) = A (v, h) + L 
where A (v, h) is the distance from v to h in G. Clearly fx so defined has a unique local 
minimum at xq. To obtain a decision problem, we stipulate that querying xq reveals an 
answer bit (0 or 1) in addition to fx the algorithm's goal is then to return the answer 
bit. Obviously a lower bound for the decision problem implies a corresponding lower bound 
for the search problem. Let us first prove the theorem in the case that all snakes in D^ l are 
e-good. Let p(X) be the probability of drawing snake X from T>h,L- Also, given snakes 
X, Y and j € {0, . . . , L - 1}, let qj (X, Y) be the probability that X* = Y, if X* is drawn 
from T>hL conditioned on agreeing with X on all steps later than j. Then define 

w (X,Y) = P -^±Yl q] (X 1 Y). 

j=0 

The first claim is that w is symmetric; that is, w(X,Y) = w(Y,X). It suffices to show 
that 

p(X) qj (X,Y)=p(Y) qj (Y,X) 

for all j. We can assume X agrees with Y on all steps later than j, since otherwise 
qj (X, Y) = qj (Y,X) = 0. Given an X* £ Dh,L% let A denote the event that X* agrees 
with X (or equivalently 1") on all steps later than j, and let Bx (resp. By) denote the 
event that X* agrees with X (resp. Y) on steps 1 to j. Then 

p (X) qj (X, Y) = Pr [A] Pr [B X \A] • Pr [B Y \A] 
= p(Y) qj (Y,X). 

Now let E(X,Y) denote the event that X fl Y = S X y, where Sxy is as in Definition 
1121 Also, let fx be the input obtained from X that has answer bit 0, and gx be the 
input that has answer bit 1. To apply Theorems 151 and I1U1 take A = {fx '■ X £ D^^l} 
and B = {gx '■ X e D h)L }. Then take R{f x ,gv) = w(X,Y) if E (X, Y) holds, and 
R(fx,gy) = otherwise. Given fx € A and gy G B with R(fx,gy) > 0, and letting v 
be a vertex such that fx (v) ^ gy (v), we must then have either v ^ X or v ^ Y. Suppose 
the former case; then 

£ R(fx*,9Y)< £ P -^-Y, qj {Y,X*)<sp{Y), 

fx*£A : f x *(v)^g Y (v) fx*eA : f x *(v)^g Y (v) j=0 

since Y is e-good. Thus 9 (gy,v) equals 

£ /x , 6 ^(/x*,5y) " 9 P (y)/io' 
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Similarly, if v £ Y then 9 {fx>v) < 10e/9 by symmetry. Hence 

t^min = max mm{9(f x ,v) ,9(gy,v)} < 



fxeA, g Y eB, v. R(f x ,g Y )>0, f x (v)^g Y (v) ~ ' 9/10' 



^eeom = max \f ifXiV) 9 (qy,v) < . / - , 

/xeA gyeB, « : R(fx,g Y )>Q, fx(v)^g Y (v) W ' 7 vyy ' ; -y9/10' 



the latter since # (fx,v) < 1 and (<7y,w) < 1 for all fx,9Y an d v. 

In the general case, all we know is that a snake drawn from T>h,L is e-good with 
probability at least 9/10. Let G (X) denote the event that X is e-good. Take A* = 
{fx G A: G (X)} and B* = {g Y £ B : G (Y)}, and take R {fx,gy) as before. Then since 

E «(*m£^(*)>^> 

by the union bound we have 

E R{fx,gy)> E E pW" E P( y ) 

fxeA*, gyeB* X,y : G(X)aG(Y)aE(X,Y) X : n G(X) Y : n G(Y) 

> _9__1_1 

- 10 10 10 

7 

~ 10' 

So by Lemma ITlfl there exist subsets A C „4* and £> C £>* such that for all fx & A and 

E 

So for all fx,9Y with i? (fx,gy) > 0, and all u such that /x (f ) 7^ gy (v), either 9 (fx,v) < 
20e/7 or (c/y , v) < 20e/7. Hence u min < 20e/7 and v geom < v / 20e/7. ■ 



7.5 Specific Graphs 

In this section I apply the 'snake method' developed in Section 17.41 to specific examples 
of graphs: the Boolean hypercube in Section I7.5.1( and the (f-dimensional cubic grid (for 
d > 3) in Section 17.5.21 

7.5.1 Boolean Hypercube 

Abusing notation, let {0, l} n denote the n-dimensional Boolean hypercube — that is, the 
graph whose vertices are n-bit strings, with two vertices adjacent if and only if they have 
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Hamming distance 1. Given a vertex v € {0, l} n , let v [0] , . . . , v [n — 1] denote the n 
bits of v, and let denote the neighbor obtained by nipping bit v [i]. In this section I 
lower-bound RLS ({0, l} n ) and QLS ({0, l} n ). 

Fix a 'snake head' h G {0, l} n and take L = 2 n / 2 /100. I define the snake distribu- 
tion T>hL via what I call a coordinate loop, as follows. Starting from xq = h, for each t take 

Xt+i = xt with 1/2 probability, and xt+i = xf modn ^ with 1/2 probability. The following is 
a basic fact about this distribution. 

Proposition 15 The coordinate loop mixes completely in n steps, in the sense that ift* > 
t + n, then xt* is a uniform random vertex conditioned on xt- 

One could also use the random walk distribution, following Aldous |24j . However, 
not only is the coordinate loop distribution easier to work with (since it produces fewer 
self- intersections) , it also yields a better lower bound (since it mixes completely in n steps, 
as opposed to approximately in nlogn steps). 

I first upper-bound the probability, over X, j, and Y [j], that XnY ^ Sx,y (where 
Sx,Y is as in Definition I12j) . 

Lemma 16 Suppose X is drawn from T>h,L, j is drawn uniformly from {0, . . . , L — 1}, and 

Y [j] is drawn from V XjJ . Then Pr Xj - Y y] [X (lY = S x ,y] > 0.9999. 

Proof. Call a disagreement a vertex v such that 

min {t : xt = v} ^ min {t* : yt* = v} . 

Clearly if there are no disagreements then X n Y = Sx,y- If f is a disagreement, then by 
the definition of T>h,L we cannot have both t > j — n and t* > j — n. So by Proposition 1151 
either yt* is uniformly random conditioned on X, or xt is uniformly random conditioned on 

Y [j]. Hence Pr^^y^] [xt = yt*] = l/2 n . So by the union bound, 

L 2 

Pr [XHY ^S X y] <rr- = 0.0001. 
x,j,Y\j] 1 r X ' Yi ~ 2" 

■ 

I now argue that, unless X spends a 'pathological' amount of time in one part of 
the hypercube, the probability of any vertex v being hit when X flicks its tail is small. To 
prove this, I define a notion of sparseness, and then show that (1) almost all snakes drawn 
from T>h,L are sparse (Lemma ll8|) . and (2) sparse snakes are unlikely to hit any given vertex 
v ( Lemma 119(1 . 

Definition 17 Given vertices v, w and i € {0, . . . , n — 1}, let A(x,v, i) be the number of 
steps needed to reach v from x by first setting x [i] := v [i], then setting x [i — 1] := v[i — 1], 
and so on. (After we set x [0] we wrap around to x [n — 1].) Then X is sparse if there 
exists a constant c such that for all v £ {0, l} n and all k, 

\{t : A(x t ,v,tmodn) = k}\ <cn(n + ^z^J ■ 
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Lemma 18 If X is drawn from DhLi then X is sparse with probability 1 — o(l). 

Proof. For each i S {0, . . . , n — 1}, the number of t E {0, . . . , L — 1} such that 
t = i (modn) is at most L/n. For such a t, let E^' 1 '^ be the event that A(x t ,v,i) < k; 
then E^' 1 '^ holds if and only if 



x t [i] = v [*],..., x t [i — k + 1] = v [i — k + 1] 

(where we wrap around to xt [n — 1] after reaching xt [0]). This occurs with probability 
2 k /2 n over X. Furthermore, by Proposition 1151 the E^"' % ' k ^ events for different t's are 
independent. So let 

L 2 k 



n 2 n ' 



then for fixed v, i, k, the expected number of t's for which E < f ,L,k ^ holds is at most fj,k- Thus 
by a Chernoff bound, if fi^ > 1 then 



Pr 

x 



> cn- /j,k 



< 



,cn— 1 \ Mfe 



cn 



< 



2 2n 



for sufficiently large c. Similarly, if fj,/. < 1 then 



Pr 

X 



> cn 



,cn/n h -l 



l-'k 



< 



for sufficiently large c. By the union bound, then, 



< 



2 2n 



< cn • (1 + Ufc' 
L 



c n + 



)n—k 



for every v,i,k triple simultaneously with probability at least 1 — n 2 2 n /2 2n = 1 — o(l). 
Summing over all i's produces the additional factor of n. ■ 

Lemma 19 If X is sparse, then for every v G {0, l} n , 



Pr[«€Y[3]] = O v , 



n 



Proof. By assumption, for every k £ {0, . . . , n}, 

|{t : A (xt, t modn) = k}\ 



Pr [A (xj ,v,j mod n) = k] < 
j 



L 



cn ( L 
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Consider the probability that v G Y [j] in the event that A (xj,v,j modn) = k. Clearly 

Pr[u G {%•„„+!,..., = ^. 

Also, Proposition ED implies that for every t < j — n, the probability that yt = v is 2~ n . 
So by the union bound, 

L 



Pr[u G {y , ...,y 3 -_„}] < — . 



Then Pr^y [j]] equals 

n 



fc=0 



Prj [A (xj,v, j mod n) = k] ■ 
Pry [« G Y" [7] I A (xj ,v,j mod n) = k] 



Ecn I L 
— I n + 



k=0 



O 



L 



1 L 



cn 



as can be verified by breaking the sum into cases and doing some manipulations. 
The main result follows easily: 



Theorem 20 



/on/2\ / 2 n/4~ 

RLS ({0, l} n ) = ( — , QLS ({0, l} n ) = O - 



Proof. Take e = n 2 /2 n / 2 . Then by Theorem 1141 it suffices to show that a snake 
X drawn from T>h,L 1S O (e)-good with probability at least 9/10. First, since 

Pr \X n Y = S x y] > 0.9999 
by Lemma [TBI Markov's inequality shows that 



Pr 

x 



Pr [XHY = S x ,y] > 4 



> 



19 
20' 



Second, by Lemma ITRl X is sparse with probability 1 — o(l), and by Lemma IHH if X is 
sparse then 



Pr[veY\j}] = 



n 



0(e) 



for every v. So both requirements of Definition El hold simultaneously with probability at 
least 9/10. ■ 
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Figure 7.2: In d = 3 dimensions, a snake drawn from T>h l moves a random distance left or 
right, then a random distance up or down, then a random distance inward or outward, etc. 



7.5.2 Constant-Dimensional Grid Graph 

In the Boolean hypercube case, Vh,L was defined by a 'coordinate loop' instead of the 
usual random walk mainly for convenience. When we move to the d-dimensional grid, 
though, the drawbacks of random walks become more serious: first, the mixing time is 
too long, and second, there are too many self-intersections, particularly if d < 4. The 
snake distribution will instead use straight lines of randomly chosen lengths attached at the 
endpoints, as in Figure 7.2. Let Gd,N be a (i-dimensional grid graph with d > 3. That is, 
Gd.N has N vertices of the form v = (v [0] , . . . , v [d — 1]), where each v [i] is in 
(assume for simplicity that iV is a d th power). Vertices v and w are adjacent if and only 
if \v [i] — w[i]\ = 1 for some i 6 {0, . . . , d — 1}, and v [j] = w \j] for all j ^ i (so G^n does 
not wrap around at the boundaries). 

Take L = y/N /100, and define the snake distribution T>hL as follows. Starting 
from xq = h, for each T take 5CjyV d (T+i) identical to x N i/d T , but with the (Tmodd) th 
coordinate x N i/ d ^ T+1 ^ [T mod d] replaced by a uniform random value in { 1, ... , iV 1 /^} . Then 
take the vertices x N i/ dT+1 , . . . ,x N i/d T+N i/d_ 1 to lie along the shortest path from x N i/ dT to 
x NV d (T+i)> 'stalling' at ^jvV d (T+i) once that vertex has been reached. Call 

$T = (x N i/d T , ■ ■ ■ ,X N i/d T+N i/d_ 1 ) 

a line of vertices, whose direction is Tmodd. As in the Boolean hypercube case, we have: 

Proposition 21 T>hL mixes completely in dN 1 ^ steps, in the sense that if T* > T + d, 
then x N i/dj; is a uniform random vertex conditioned on x N i/dT- 

Lemma El hi Section [7. 5 . II goes through essentially without change. 

Definition 22 Letting A (x, v, i) be as before, we say X is sparse if there exists a constant 
c (possibly dependent on d) such that for all vertices v and all k, 

[t : A (x t ,v, [t/N 1 /^ modd) = k}\ < (clog AT) (V/ d + 
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Lemma 23 If X is drawn from DhLi then X is sparse with probability 1 — o(l). 



Proof. Similar to Lemma 1181 Let $t De a li ne of vertices with direction i = 

T modal, and notice that A(xt,v,i) is the same for every vertex xt in Let E^' 1 '^ 

? {v,i,k) 



denote the event that A (xt, v,i) < k for the XfS in occurs with probability 

N (k-l)/d 



N (k-i)/dj N over x Furthermore, if \T - T*\ > d then Ep i,k) and E^ iM) are independent 



events. So let 



N 



then for fixed v,i,k, the expected number of lines for which Ej!'* holds is at most n^- 
Thus, by a Chernoff bound, if ^ > 1 then 



Pr 

X L 



> clog N ■ fi k 



c\ogN-l 



I'k 



< 



(clogiV) 



clog N 



which is at most 1/N 2 for sufficiently large c. Similarly, if /i^ < 1 then letting m 
(clog AT") //i fe , 



Pr 

A' 



| T: ^,i,fc)j 



> c log iV 



< 



< 



N 2 



for sufficiently large c. So with probability 1 — o(l) it holds that for all v,/c, letting 
i t = [t/N l / d \ modal, 

| {t : A (x t , v, i t ) = k} | < c log N • (1 + /i fc ) • A^ 



(clog AT) ( A^ 1/d + 



jyl-fe/d / " 



Lemma 24 //X is sparse, then for every v £ Gd,N> 

( N 1 ^ log AT \ 
Pr[veY\j]] = oi ^_J, 

where the big-O hides a constant dependent on d. 

Proof. As in Lemma H^l setting ij = \ j /N 1 ^^ mod d we obtain that Pr^y [u£Y [j]] 

equals 

d 

Pr [A {xj, v, ij) = k] Pr [v G F [j] | A (ay, v, i,) = k) 



k=l 



< 



k=l 



clog N 
L 



+ 



L 



1 



L 

N l-k/d I \ N(k-l)/d + N 



o 
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By the same proof as for Theorem 1201 taking e = (log N) /iV 1 / 2 l / d yields the 
following: 

Theorem 25 Neglecting a constant dependent on d, for all d > 3 

'jyl/2-l/d\ 



RLS {G dtN ) = n 
QLS (G djN ) = n 



loeN 



logiV 
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Chapter 8 

Quantum Certificate Complexity 



This chapter studies the relationships between classical and quantum measures of 
query complexity. Let / : S — > {0, 1} be a Boolean function with S C {0, 1}™, that takes 
input Y = y\ . . . y n . Then the deterministic query complexity D (/) is the minimum number 
of queries to the y^s needed to evaluate /, if Y is chosen adversarially and if queries can 
be adaptive (that is, can depend on the outcomes of previous queries). Also, the bounded- 
error randomized query complexity, R2 (/), is the minimum expected number of queries 
needed by a randomized algorithm that, for each Y, outputs / (Y) with probability at least 
2/3. Here the '2' refers to two-sided error; if instead we require / (Y) to be output with 
probability 1 for every Y, we obtain Ro (/), or zero-error randomized query complexity. 

Analogously, Q 2 (/) is the minimum number of queries needed by a quantum 
algorithm that outputs / (Y) with probability at least 2/3 for all Y. Also, for k £ {0, 1} 
let Qg (/) be the minimum number of queries needed by a quantum algorithm that outputs 
f (Y) with probability 1 if f (Y) = k, and with probability at least 1/2 if f (Y) / k. 
Then let Q (/) = max{Q[] (/) , (/)}. If we require a single algorithm that succeeds 
with probability 1 for all Y, we obtain Q E (/), or exact quantum query complexity. See 
Buhrman and de Wolf [7S] for a more detailed survey of these measures. 

It is immediate that 

Q 2 (/)<R 2 (/)<Ro(/)<D(/)<n, 

that Q (/) < R (/), and that Q E (/) < D (/). If / is partial (i.e. S / {0, l} n ), then Q 2 (/) 
can be superpolynomially smaller than R 2 (/); this is what makes Shor's period- finding 
algorithm |219| possible. For total /, by contrast, the largest known gap even between 
D (/) and Q 2 (/) is quadratic, and is achieved by the OR function on n bits: D (OR) = n 
(indeed R 2 (OR) = $7 (n)), whereas Q 2 (OR) = O (y/n) because of Grover's search algorithm 

[T39| . Furthermore, for total /, Beals et al. 45, showed that D (/) = O (q 2 (/) 6 ), while 

de Wolf ESI showed that D (/) = O (q 2 (/) 2 Q (/) 2 ) . 

The result of Beals et al. jJS] relies on two intermediate complexity measures, the 
certificate complexity C (/) and block sensitivity bs(/), which are defined as follows. 

Definition 26 A certificate for an input X is a set S C {1, . . . , n} such that for all inputs 
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Deterministic 


Randomized 


Quantum 


Query complexity 


D(7) 


R 2 (/) 


Q 2 (/) 


Certificate complexity 


C(/) 


RC(/) 


QC (/) 



Table 8.1: Query complexity measures and their certificate complexity analogues. 

Y of f , if yi = Xi for all i G S then f (Y) = / (X). Then C x (/) is the minimum size of a 
certificate for X, and C (/) is the maximum of C x (/) over all X. 

Definition 27 A sensitive block on input X is a set B C {1, . . . , n} such that f (X^) ^ 
/ (X), where X^ is obtained from X by flipping x^ for each i £ B. Then hs x (/) is the 
maximum number of disjoint sensitive blocks on X , and bs (/) is the maximum of hs x (f) 
over all X . 

Clearly bs (/) < C (/) < D (/). For total /, these measures are all polynomially 
related: Nisan Q23] showed that C (/) < bs (f) 2 , while Beals et al. 03] showed that D (/) < 

C (/)bs(/). Combining these results with bs(/) = O ^Q 2 (/) 2 ) (from the optimality of 
Grover's algorithm), one obtains D (/) = O ^Q 2 (/) 6 ^- 

8.1 Summary of Results 

I investigate RC (/) and QC(/), the bounded-error randomized and quantum generaliza- 
tions of the certificate complexity C (/) (see Table 8.1). My motivation is that, just as 
C (/) was used to show a polynomial relation between D (/) and Q2(/) ; so RC (/) and 
QC (/) can lead to new relations among fundamental query complexity measures. 

What the certificate complexity C (/) measures is the number of queries used to 
verify a certificate, not the number of bits used to communicate it. Thus, if we want 
to generalize C(/), we should assume the latter is unbounded. A consequence is that 
without loss of generality, a certificate is just a claimed value X for the input Y 1 — since 
any additional information that a prover might provide, the verifier can compute for itself. 
The verifier's job is to check that / (Y) = f (X). With this in mind I define RC (/) as 
follows. 

Definition 28 A randomized verifier for input X is a randomized algorithm that, on input 

Y to f, (i) accepts with probability 1 ifY = X, and (ii) rejects with probability at least 1/2 if 
f (Y) ^ f (X). (IfY^X but f (Y) = f (X), the acceptance probability can be arbitrary.) 
Then RC X (/) is the minimum expected number of queries used by a randomized verifier 
for X , and RC (/) is the maximum ofKC x (/) over all X . 

I define QC (/) analogously, with quantum instead of randomized algorithms. The 
following justifies the definition (the RC (/) part was originally shown by Raz et al. 197 ). 

1 Throughout this chapter, I use Y to denote the 'actual' input being queried, and X to denote the 
'claimed' input. 
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Proposition 29 Making the error probability two-sided rather than one-sided changes RC (/) 
and QC (/) by at most a constant factor. 

Proof. For RC (/), let ry be the event that verifier V rejects on input Y, and 
let dy be the event that V encounters a disagreement with X on Y. We may assume 
Pr [r£ | 4] =1. Suppose that Pr [r£] < £o if Y = X and Pr [r£] > 1 - £i if / (F) ^ 
/ (X). We wish to lower-bound Pr [dy] for all Y such that / (V) / / (X). Observe that 

Pr [rl^a% \ f (Y) + f (X)] < Pr [r x A n d x ] = Pr [rf ] < e - 

Hence for f(Y)^f(X), 

Pr [4] > Pr [4] - Pr [r£ A ^a%] > 1 - £l - e . 

Now let be identical to V except that, whenever V rejects despite having found no 
disagreement with X, V* accepts. Clearly Pr WyA = 0. Also, in the case / (Y) ^ f (X), 

Pr [r£.] =Pr [a%] >l-e x -e G . 

The result follows since O (1) repetitions suffice to boost any constant error probability to 
any other constant error probability. 

For QC (/), suppose the verifier's final state given input Y is 

;>>ri^> (/?no)+ 7 rii» 

z 

where |0) is the reject state, |1) is the accept state, and |/4| 2 + |7j'| 2 = 1 f° r an z - Suppose 
also that A x > 1 — £o and that A Y < e\ whenever / (Y) / / (X), where A Y = \ a Xlz^ 
is the probability of accepting. Then the verifier can make A x = 1 by performing the 
conditional rotation 

'7? -pr 

ft 7? 

on the second register prior to measurement. In the case / (Y) ^ f (X), this produces 

z 

2Ei^i 2 (i/5fi 2 +| 7 r |2N 



< 



< 2(e + £i) 



It is immediate that QC (/) < RC (/) < C(/), that QC (/) = 0(Q 2 (/)), and 
that RC (/) = O (R2 (/))• We also have RC (/) = Q (bs (/)), since a randomized verifier 
for X must query each sensitive block on X with 1/2 probability. This suggests viewing 
RC (/) as an 'alloy' of block sensitivity and certificate complexity, an interpretation for 
which Section gives some justification. 
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The results of this chapter are as follows. In Section 18.31 1 show that QC (/) = 
G ^^RC (7)J for all / (partial or total), precisely characterizing quantum certificate com- 
plexity in terms of randomized certificate complexity. To do this, I first give a nonadaptive 
characterization of RC (/), and then apply the adversary method of Ambainis |27j to lower- 
bound QC (/) in terms of this characterization. Then, in Section lb. 41 I extend results on 
polynomials due to de Wolf 244 and to Nisan and Smolensky (as described by Buhrman 
and de Wolf 78 ), to show that R (/) = O (RC (/) ndeg (/) log n) for all total /, where 
ndeg (/) is the minimum degree of a polynomial p such that p (X) ^ if and only if 
/ (X) ^ 0. Combining the results of Sections I8.3I and I8.4I leads to a new lower bound on 

quantum query complexity: that Ro (/) = O ^Q 2 (/) 2 Qo (/) logn^ for all total /. To my 
knowledge, this is the first quantum lower bound to use both the adversary method and 
the polynomial method at different points in the argument. 

Finally, in Section t8~5l I exhibit asymptotic gaps between RC (/) and other query 
complexity measures, including a total / for which C (/) = 9 (QC (/ ) 2 ' 205 ) , and a sym- 
metric partial / for which QC (/) = O (1) yet Q 2 (/) = Q (n/ logra). I conclude in Section 
18.61 with some open problems. 



8.2 Related Work 

Raz et al. |197j studied a query complexity measure they called ma(/), for Merlin- Arthur. 
In my notation, ma (/) equals the maximum of KC X (/) over all X with / (X) = 1. Raz 
et al. observed that ma(/) = ip(/), where ip (/) is the number of queries needed given 
arbitrarily many rounds of interaction with a prover. They also used error-correcting codes 
to construct a total / for which ma(/) = O (1) but C (/) = O (n). This has similarities to 
the construction, in Section l8.5.2( of a symmetric partial / for which QC (/) = O (1) but 
Q 2 (/) = £1 (n/logn). Aside from that and from Proposition 1291 Raz et al.'s results do not 
overlap with the results here. 

Watrous 239 has investigated a different notion of 'quantum certificate complexity' — 
whether certificates that are quantum states can be super poly normally smaller than any 
classical certificate. Also, de Wolf |245) has investigated 'nondeterministic quantum query 
complexity' in the alternate sense of algorithms that accept with zero probability when 
/ (Y) = 0, and with positive probability when / (Y) = 1. 



8.3 Characterization of Quantum Certificate Complexity 

We wish to show that QC (/) = G ^a/RC (/)^ , precisely characterizing quantum certificate 
complexity in terms of randomized certificate complexity. The first step is to give a simpler 
characterization of RC (/). 

Lemma 30 Call a randomized verifier for X nonadaptive if, on input Y , it queries each 
Hi with independent probability Xi, and rejects if and only if it encounters a disagreement 
with X. (Thus, we identify such a verifier with the vector (Ai,... ,X n )-) Let RC^ a (/) 
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be the minimum of \\ + ■ ■ ■ + \ n over all nonadaptive verifiers for X. Then RC^, (/) = 
<-)(KC V (/>)• 

Proof. Clearly RC^ a (/) = Q (KC X (/)). For the upper bound, we can assume 
that a randomized verifier rejects immediately on finding a disagreement with X, and 
accepts if it finds no disagreement. Let y = {Y : f (Y) ^ f (X)}. Let V be an optimal 
randomized verifier, and let pt (Y) be the probability that V, when given input Y G y, finds 
a disagreement with X on the f™* query. By Markov's inequality, V must have found a 
disagreement with probability at least 1/2 after T = |~2RC^ (/)] queries. So by the union 
bound 

Pl (Y) + — +pr (Y) > \ 

for each Y £ y. Suppose we choose t G {1, . . . , T} uniformly at random and simulate the 
t th query, pretending that queries 1, .. . ,t — 1 have already been made and have returned 
agreement with X. Then we must find a disagreement with probability at least 1/2T. 
By repeating this procedure 4T times, we can boost the probability to 1 — e~ 2 . For i G 
{1, . . . , n}, let Aj be the probability that yi is queried at least once. Then Ai + - • - + A n < 4T, 
whereas for each Y £ y, 

A, > 1 - e -2 . 

It follows that, if each yi is queried with independent probability Aj, then the probability 
that at least one yi disagrees with X is at least 

1- "Tf (l-AO > 1- (l-^— ) >0.57. 



To obtain a lower bound on QC (/), I will use the following simple reformulation 
of Ambainis's adversary method [27] . 

Theorem 31 (Ambainis) Given a function f : S — > {0, 1} with S C {0, l} n , let (3 be 
a function from S to nonnegative reals, and let R : S 2 — > {0, 1} be a relation such that 
R (X, Y) = R (Y, X) for all X, Y and R (X, Y) = whenever f (X) = f (Y). Let 5 , Si G 
(0, 1] be such that for every X G S and i G {1, . . . , n}, 

Y:R(X,Y)=1 
Y : R(X,Y)=l,Xi^ yi 

Then Q 2 (/) = n(vS)- 

I now prove the main result of the section. 
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Theorem 32 For all f (partial or total) and all X, 

QC x (/) = e^RC^(/)). 

Proof. Let (Ai, . . . , \ n ) be an optimal nonadaptive randomized verifier for X, and 

let 

5 = Ai + • • • + A n . 

First, QC^ (/) = O ("v/5^ • We can run a "weighted Grover search," in which the propor- 
tion of basis states querying index i is within a constant factor of Xi/S. (It suffices to use 
n 2 basis states.) Let y = {Y : f (Y) / / (X)}; then for any 7^,0 (Vf?) iterations 

suffice to find a disagreement with X with probability f2 (1). Second, QC X (/) = f2 ■ 
Consider a matrix game in which Alice chooses an index i to query and Bob chooses 7 6^; 
Alice wins if and only if yi ^ x%. If both players are rational, then Alice wins with proba- 
bility O (1/5), since otherwise Alice's strategy would yield a verifier (A^, . . . , A^) with 

a' 1 + ... + a; = (5). 

Hence by the minimax theorem, there exists a distribution \x over y such that for every i, 

* 1*^ = 0(1). 

Let (X) = 1 and let (Y) = n (Y) for each Y G y. Also, let R (Y, Z) = 1 if and only 
if Z = X for each Y £ y and Z ^ y. Then we can take <$/(y) = 1 and = O (1/5) 

in Theorem 1311 So the quantum query complexity of distinguishing X from an arbitrary 

Y G y is • ■ 

8.4 Quantum Lower Bound for Total Functions 

The goal of this section is to show that 

Ro (/) = o(q 2 (/) 2 Qo (/)logn) 

for all total /. Say that a real multilinear polynomial p (x±, . . . , x n ) nondeterministically 
represents / if for all X G {0, l} n , p (X) ^ if and only if / (X) / 0. Let ndeg (/) be the 
minimum degree of a nondeterministic polynomial for /. Also, given such a polynomial p, 
say that a monomial Mi G p is covered by M2 G p if M2 contains every variable in Mi . A 
monomial M is called a maxonomial if it is not covered by any other monomial of p. The 
following is a simple generalization of a lemma attributed in JJS^ to Nisan and Smolensky. 

Lemma 33 (Nisan-Smolensky) Let p nondeterministically represent f . Then for every 
maxonomial M ofp and I £ / _1 (0), there is a set B of variables in M such that f (X( B ^ 7^ 
/ (X), where X^ is obtained from X by flipping the variables in B. 



73 



Proof. Obtain a restricted function g from /, and a restricted polynomial q from 
p, by setting each variable outside of M to x%. Then g cannot be constant, since its 
representing polynomial q contains M as a monomial. Thus there is a subset B of variables 
in M such that g (X^) = 1, and hence / (X^) = 1. ■ 

Using Lemma E3 de Wolf 244 showed that D (/) < C(/)ndeg(/) for all total 
/, slightly improving the result D (/) < C (/) deg (/) due to Buhrman and de Wolf [75] . 
In Theorem I35| I will give an analogue of this result for randomized query and certificate 
complexities. However, I first need a probabilistic lemma. 

Lemma 34 Suppose we repeatedly apply the following procedure: first identify the set B of 
maxonomials of p, then 'shrink' each M E B with (not necessarily independent) probability 
at least 1/2. Shrinking M means replacing it by an arbitrary monomial of degree deg (M) — 
1. Then with high probability p is a constant polynomial after O (deg (p) logn) iterations. 

Proof. For any set A of monomials, consider the weighting function 

u(A)=J2 deg(M)! 

MeA 

Let S be the set of monomials of p. Initially uj (S) < n deg ( p ' deg (p)\, and we are done when 
u) (S) = 0. The claim is that at every iteration, uj (B) > ^uj (S). For every M* G S\ B is 

covered by some M € B, but a given M & B can cover at most ( deg ) M) ) distinct M* with 
deg(M*)=^. Hence 

deg(Af)-l 

u(s\b)<y: e ( de f> 

< ^deg(M)!(i + i + ...) 

< (e-l)u>(J3). 

At every iteration, the contribution of each M S B to uj (A) has at least 1 /2 
probability of shrinking from deg(M)! to (deg (M) — 1)! (or to if deg (M) = 1). When 
this occurs, the contribution of M is at least halved. Hence uj (S) decreases by an expected 
amount at least j-oo (S). Thus after 

log 4e /(4e-i) (2n dc ^)deg(p)!) =0 (deg (p) logn) 

iterations, the expectation of u> (S) is less than 1/2, so S is empty with probability at least 
1/2. ■ 

I can now prove the main result. 2 
Theorem 35 For total f , 

R (/) = O(RC(/)ndeg(/)logn). 

2 The proof of Theorem 1351 that I gave previously |lj makes a claim that is both superfluous for proving 
the theorem and false. I am grateful to Gatis Midrijanis for pointing this out to me. 
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Proof. The algorithm is as follows. 
Repeat 

Choose a 0-input X compatible with all queries made so far 3 
Query a randomized 0-certif icate for X 
Until f has been restricted to a constant function 

Let p be a polynomial that nondeterministically represents /. Then the key fact 
is that for every 0-input X, when we query a randomized O-certificate for X we "hit" each 
maxonomial M of p with probability at least 1/2. Here hitting M means querying a 
variable in M. This is because, by Lemma 1331 it is possible to change / (X) from to 1 
just by flipping variables in M. So a randomized certificate would be incorrect if it probed 
those variables with probability less than 1/2. 

Therefore, each iteration of the algorithm shrinks each maxonomial of p with 
probability at least 1/2. It follows from Lemma |2U that the algorithm terminates after an 
expected number of iterations O (deg (p) log n). ■ 

Buhrman et al. |45j showed that ndeg (/) < 2 Q (/). Combining this with Theo- 
rems 021 and 133 yields a new relation between classical and quantum query complexity. 

Corollary 36 For all total f, 

Ro (/) = o(Q 2 (/) 2 Qo (/)logn). 

The best previous relation of this kind was Ro (/) = O ^Q 2 (/) 2 Q (/) 2 ^ , due to 
de Wolf 244 . It is worth mentioning another corollary of Theorems EU and 1351 this one 
purely classical: 

Corollary 37 For all total f, 

Ro (/) = 0(R 2 (/) ndeg (/) log n) 

Previously, no relation between Ro and R 2 better than Ro (/) = O ^R 2 (/) 3 ^ was 
known (although no asymptotic gap between Ro and R 2 is known either |21U| ). 

8.5 Asymptotic Gaps 

Having related RC (/) and QC (/) to other query complexity measures in Section 18.41 in 
what follows I seek the largest possible asymptotic gaps among the measures. In particular, 
I give a total / for which RC (/) = (C (/) a907 ) and hence C (/) = 9 (QC Cf) 2 ' 205 ), as 

RC (/r M . Although these gaps are the largest 

3 Clearly, as long as / is not a constant function, there exists a 0-input X compatible with all queries 
made so far. 
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of which I know, Section 18.5.11 shows that no 'local' technique can improve the relations 
C (/) = O (RC (/) 2 ) and RC (/) = O (bs (/) 2 ) . Finally, Section BTO uses combinatorial 
designs to construct a symmetric partial / for which RC (/) and QC (/) are 0(1), yet 
Q 2 (/) = n(n/logn). 

Wegener and Zadori j24U| exhibited total Boolean functions with asymptotic gaps 
between C (/) and bs (/). In similar fashion, I give a function family {gt} with an asymp- 
totic gap between C (g t ) and RC (gt). Let g\ (x\, . . . , X29) equal 1 if and only if the Hamming 
weight of its input is 13, 14, 15, or 16. (The parameter 29 was found via computer search 
to produce a maximal separation.) Then for t > 1, let 

g t (xx,.. .,x 2 gt) = go [gt-l (Xl) , ■ ■ -,9t-i (X 2 g)] 

where X\ is the first 29* _1 input bits, X 2 is the second 29* _1 , and so on. For k G {0, 1}, 
let 

bs fc (/) = max bs x (/), 
V ; f(x)=k w ' 

C k (f) = max C x {f). 

f(X)=k 

Then since bs° (gi) = bs 1 (g\) = 17, we have bs (gt) = 17*. On the other hand, C° (g\) = 17 
but C 1 (51) = 26, so 

C 1 ( 5t ) = 13 C 1 (^i) + 13 C° (£<_!), 
C (gt) = 17max {C 1 (g t -i) ,C°(g t -i)} . 

Solving this recurrence yields C (gt) = O (22.725*). We can now show a gap between C 
and RC. 



Proposition 38 RC (g t ) = G (C (g 



Hi 



n0.907 



Proof. Since bs (g t ) = VL\C (gt) ' 907 ) , it suffices to show that RC (g t ) = O (bs (g t )). 
The randomized verifier V chooses an input variable to query as follows. Let X be 
the claimed input, and let K = Y^=i9t-i (Xi)- Let Iq = {i : gt-i (Xi) = 0} and I\ = 
{i : gt-i (Xi) = 1}. With probability px, V chooses an i G I\ uniformly at random; other- 
wise A chooses an i £ Iq uniformly at random. Here px is as follows. 



K 


[0, 12] 


13 


14 


15 


16 


[17,29] 


PK 





13 

17 


7 

12 


5 

12 


4 
17 


1 



Once i is chosen, V repeats the procedure for Xi, and continues recursively in this 
manner until reaching a variable yj to query. One can check that if gt (X) 7^ gt (Y), then 
gt-i (Xi) ^ gt-i (Yi) with probability at least 1/17. Hence xj 7^ yj with probability at 
least 1/17*, and RC (g t ) = O (17*). ■ 

By Theorem E2 it follows that C (g t ) = 8 (QC (^t) 2 205 ) . This offers a surpris- 
ing contrast with the query complexity setting, where the best known gap between the 
deterministic and quantum measures is quadratic (D (/) = O (Q 2 (f) 2 
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The family {g t } happens not to yield an asymptotic gap between bs (/) and RC (/). 
The reason is that any input to go can be covered perfectly by sensitive blocks of minimum 
size, with no variables left over. In general, though, one can have bs (/) = o(RC (/))■ As 
reported by Bublitz et al. [71], M. Paterson found a total Boolean function hi (x%, . . . ,xq) 
such that C^ (hi) = 5 and bs^ (hi) = 4 for all X. Composing hi recursively yields 
bs (ht) = e(c (h t )°- mi ) and bs (h t ) = & (rC (h t ) - 922 ) , both of which are the largest such 



gaps of which I know. 

8.5.1 Local Separations 



It is a longstanding open question whether the relation C (/) < bs (f) 2 due to Nisan |18.Sj 



is tight. As a first step, one can ask whether the relations C (/) = O ( RC (f) 2 ) and 



RC (/) = O [bs (f) j are tight. In this section I introduce a notion of local proof in query 
complexity, and then show there is no local proof that C (/) = o ^RC (/) 2 ^ or that RC (/) = 
o (bs(/) 2 ). This implies that proving either result would require techniques unlike those 



that are currently known. My inspiration comes from computational complexity, where 
researchers first formalized known methods of proof, including relativizable proofs |1J and 
natural proofs |2UL)j . and then argued that these methods were not powerful enough to 
resolve the field's outstanding problems. 

Let G (f) and H (f) be query complexity measures obtained by maximizing over 
all inputs — that is, 



G(/) = maxG x (/), 
x 



tf(/) = max# A (/) 



x 



Call B C {1, ... ,n} a minimal block on X if B is sensitive on X (meaning / (X^) ^ 
f (X)), and no sub-block B' C B is sensitive on X. Also, let X's neighborhood Af (X) 
consist of X together with X^ B ' for every minimal block B of X. Consider a proof that 
G(f) = 0(t(H(f))) for some nondecreasing t. I call the proof local if it proceeds by 
showing that for every input X, 



G X(f) = o( Y ^{t(Hr m ) 



As a canonical example, Nisan's proof |183j that C (/) < bs (f) 2 is local. For each X, 
Nisan observes that (i) a maximal set of disjoint minimal blocks is a certificate for X, (ii) 
such a set can contain at most bs^ (/) blocks, and (iii) each block can have size at most 
maxY(zj\f(x) bs y (/). Another example of a local proof is the proof in Section l8~3l that 

RC(/) = 0(QC(/) 2 



Proposition 39 There is no local proof showing that C (/) = o ( RC (f) 2 ) or that RC (/) 
o (bs(/) 2 ) for all total f. 
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Proof. The first part is easy: let / (X) = 1 if \X\ > y/n (where \X\ denotes the 
Hamming weight of X), and / (X) = otherwise. Consider the all-zero input n . We 
have C " (/) = n - \y/n\ + 1, but RC°" (/) = O (y/K), and indeed RC y (/) = O (y/n) for all 
Y £ J\f (0 n ). For the second part, arrange the input variables in a lattice of size y/n x y/n. 
Take to = O (re 1//3 ) , and let g (X) be the monotone Boolean function that outputs 1 if and 
only if X contains a 1- square of size to x to. This is a square of l's that can wrap around 
the edges of the lattice; note that only the variables along the sides must be set to 1, not 
those in the interior. An example input, with a 1-square of size 3 x 3, is shown below. 



10 11 
10 10 
10 11 

Clearly bs° (g) = G(n 1//3 ), since there can be at most n/m? disjoint 1-squares of size 
to x to. Also, bs Y (g) = O (n 1//3 ) for any Y that is except for a single 1-square. On the 
other hand, if we choose uniformly at random among all such Y's, then at any lattice site 
», Pry [ yi = 1] = 6 (n~ 2 / 3 ) . Hence RC " (g) = ft (n 2 / 3 ) . ■ 

8.5.2 Symmetric Partial Functions 

If / is partial, then QC (/) can be much smaller than Q 2 (/). This is strikingly illustrated 
by the collision problem: let Col (Y) = if Y = y\ . . . y n is a one-to-one sequence and 
Col (Y) = 1 if Y is a two-to-one sequence, promised that one of these is the case. Then 
RC (Col) = QC (Col) = 0(1), since every one-to-one input differs from every two-to-one 
input on at least n/2 of the j/j's. On the other hand, Chapter showed that Q 2 (Col) = 

ft^). 

From the example of the collision problem, it is tempting to conjecture that (say) 
Q 2 (/) = O (n 1 / 3 ) whenever QC (/) = O (1)— that is, 'if every 0-input is far from every 
1-input, then the quantum query complexity is sublinear.' Here I disprove this conjecture, 
even for the special case of symmetric functions such as Col. (Given a finite set Ti., a function 
/ : S — > {0, 1} where S C Tl n is called symmetric if x\ . . . x n G S implies x a {\) . . . x a r n ) £ <5 
and / (x\ . . . x n ) = f (x^n) ■ ■ ■ x a i n \) for every permutation a.) 

The proof uses the following lemma, which can be found in Nisan and Wigderson 
185 for example. 

Lemma 40 (Nisan- Wigderson) For any 7 > 1, there exists a family of sets 

A x ,...,A m C {1,..., [ 7 n]} 

such that to = VL (2 n / 7 ) ; \Aj\ = n for all i, and \Ai n Aj\ < n/7 for all i 7^ j. 

A lemma due to Ambainis L 26 j is also useful. Let / : S — > {0, 1} where S C 
{0, l} n be a partial Boolean function, and let p : {0, l} n -> K be a real-valued multilinear 
polynomial. We say that p approximates / if (i) p (X) G [0, 1] for every input X £ {0, l} n 
(not merely those in S), and (ii) \p(X) — g (X)\ < 1/3 for every X £ S. 
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Lemma 41 (Ambainis) At most 2°( A ( n ' d ) rfri ) distinct Boolean functions (partial or total) 
can be approximated by polynomials of degree d, where A(n,d) = Yli=o (?) ■ 

The result is an easy consequence of Lemmas HU] and 1411 

Theorem 42 There exists a symmetric partial f for which QC (/) = O (1) and Q 2 (/) = 
£1 [nj logn). 

Proof. Let / : S -> {0,1} where S C {l,...,3n} n , and let m = 0(2 n / 3 ). 
Let Ai, . . . , A m C {1, . . . , 3n} be as in Lemma HHJ We put x±, . . . ,x n in 5 if and only if 
{xi, . . . , = Aj for some j. Clearly QC (/) = O (1), since if i ^ j then every permutation 
of Ai differs from every permutation of Aj on at least n/3 indices. The number of symmetric 
/ with S as above is 2 m = 2^( 2 1 ). We can convert any such / to a Boolean function 
g on O(nlogn) variables. But Beals et al. [IS] showed that, if Q 2 (g) = T, then g is 
approximated by a polynomial of degree at most 2T. So by Lemma HT1 if Q 2 (g) < T for 
every 5 then 

2T • A (n log n, 2T) • (n log n) 2 = (^2 n/3 ) 
and we solve to obtain T = 0, [nj log n). ■ 

8.6 Open Problems 

Is deg (/) = n C^/RC (/)) , where deg (/) is the minimum degree of a polynomial approx- 
imating /? In other words, can one lower-bound QC (/) using the polynomial method of 
Beals et al. rather than the adversary method of Ambainis |27j ? 

Also, is Ro (/) = O^RC(/) 2 ^? If so we obtain the new relations Ro (/) = 
0(Q 2 (/) 4 ) and R (/) = o(r 2 (/) 2 ). 
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Chapter 9 

The Need to Uncompute 



Like a classical algorithm, a quantum algorithm can solve problems recursively by 
calling itself as a subroutine. When this is done, though, the algorithm typically needs 
to call itself twice for each subproblem to be solved. The second call's purpose is to 
uncompute 'garbage' left over by the first call, and thereby enable interference between 
different branches of the computation. Of course, a factor of 2 increase in running time 
hardly seems like a big deal, when set against the speedups promised by quantum computing. 
The problem is that these factors of 2 multiply, with each level of recursion producing 
an additional factor. Thus, one might wonder whether the uncomputing step is really 
necessary, or whether a cleverly designed algorithm might avoid it. This chapter gives the 
first nontrivial example in which recursive uncomputation is provably necessary. 

The example concerns a long-neglected problem called Recursive Fourier Sampling 
(henceforth RFS), which was introduced by Bernstein and Vazirani [S3] in 1993 to prove the 
first oracle separation between BPP and BQP. Many surveys on quantum computing pass 
directly from the Deutsch-Jozsa algorithm to the dramatic results of Simon 220 and 
Shor |219j . without even mentioning RFS. There are two likely reasons for this neglect. 
First, the RFS problem seems artificial. It was introduced for the sole purpose of proving 
an oracle result, and is unlike all other problems for which a quantum speedup is known. 
(I will define RFS in Section f9.lt but for now, it involves a tree of depth logn, where each 
vertex is labeled with a function to be evaluated via a Fourier transform.) Second, the 
speedup for RFS is only quasipolynomial (n versus n logn ), rather than exponential as for 
the period-finding and hidden subgroup problems. 

Nevertheless, I believe that RFS merits renewed attention — for it serves as an im- 
portant link between quantum computing and the ideas of classical complexity theory. One 
reason is that, although other problems in BQP — such as the factoring, discrete logarithm, 
and 'shifted Legendre symbol' problems |232| — are thought to be classically intractable, 
these problems are quite low- level by complexity-theoretic standards. They, or their as- 
sociated decision problems, are in NP D coNP. 1 By contrast, Bernstein and Vazirani |55j 
showed that, as an oracle problem, RFS lies outside NP and even MA (the latter result is 
unpublished, though not difficult). Subsequently Watrous [239] gave an oracle A, based 

1 For the shifted Legendre symbol problem, this is true assuming a number-theoretic conjecture of Boneh 
and Lipton 
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on an unrelated problem, for which BQP" 4 (jL MA A . 2 Also, Green and Pruim |135j gave an 
oracle B for which BQP B <f_ p NpS . However, Watrous' problem was shown by Babai 
to be in AM, while Green and Pruim's problem is in BPP. Thus, neither problem can be 
used to place BQP outside higher levels of the polynomial hierarchy. 

On the other hand, Umesh Vazirani and others have conjectured that RFS is not in 
PH, from which it would follow that there exists an oracle A relative to which BQP" 4 <£. PH" 4 . 
Proving this is, in my view, one of the central open problems in quantum complexity theory. 
Its solution seems likely to require novel techniques for constant-depth circuit lower bounds. 3 

In this chapter I examine the RFS problem from a different angle. Could Bernstein 
and Vazirani's quantum algorithm for RFS be improved even further, to give an exponential 
speedup over the classical algorithm? And could we use RFS, not merely to place BQP 
outside of PH relative to an oracle, but to place it outside of PH with (say) a logarithmic 
number of alternations? 

My answer to both questions is a strong 'no.' I study a large class of variations 
on RFS, and show that all of them fall into one of two classes: 

(1) a trivial class, for which there exists a classical algorithm making only one query, or 

(2) a nontrivial class, for which any quantum algorithm needs 2^ h ^ queries, where h is the 
height of the tree to be evaluated. (By comparison, the Bernstein- Vazirani algorithm 
uses 2 h queries, because of its need to uncompute garbage recursively at each level of 
the tree.) 

Since n h queries always suffice classically, this dichotomy theorem implies that the speedup 
afforded by quantum computers is at most quasipolynomial. It also implies that (nontrivial) 
RFS is solvable in quantum polynomial time only when h = O (log re). 

The plan is as follows. In Section r9.H I define the RFS problem, and give Bernstein 
and Vazirani's quantum algorithm for solving it. In Section T9. 21 I use the adversary method 
of Ambainis .27 to prove a lower bound on the quantum query complexity of any RFS 
variant. This bound, however, requires a parameter that I call the "nonparity coefficient" 
to be large. Intuitively, given a Boolean function g : {0,1}™ — > {0,1}, the nonparity 
coefficient measures how far g is from being the parity of some subset of its input bits — not 
under the uniform distribution over inputs (the standard assumption in Fourier analysis), 
but under an adversarial distribution. The crux of the argument is that either the nonparity 
coefficient is zero (meaning the RFS variant in question is trivial), or else it is bounded below 
by a positive constant. This statement is proved in Section l9,2| and seems like it might be 
of independent interest. Section fy .31 concludes with some open problems. 

2 Actually, to place BQP outside MA relative to an oracle, it suffices to consider the complement of Simon's 
problem ("Does / (a;) = / [x ffi s) only when s = 0?"). 

3 For the RFS function can be represented by a low-degree real polynomial — this follows from the existence 
of a polynomial-time quantum algorithm for RFS, together with the result of Beals et al. |45| relating 
quantum algorithms to low-degree polynomials. As a result, the circuit lower bound technique of Razborov 
|198| and Smolensky |223| . which is based on the nonexistence of low-degree polynomials, seems unlikely to 
work. Even the random restriction method of Furst et al. |120| can be related to low-degree polynomials, 
as shown by Linial et al. |166| . 
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9.1 Preliminaries 

In ordinary Fourier sampling, we are given oracle access to a Boolean function A : {0, l} n — > 
{0,1}, and are promised that there exists a secret string s G {0, l} n such that A(x) = 
s ■ x (mod 2) for all x. The problem is to find s — or rather, since we need a problem with 
Boolean output, the problem is to return g (s), where g : {0, l} n — * {0, 1} is some known 
Boolean function. We can think of g (s) as the "hard-core bit" of s, and can assume that 
g itself is efficiently computable, or else that we are given access to an oracle for g. 

To obtain a height-2 recursive Fourier sampling tree, we simply compose this 
problem. That is, we are no longer given direct access to A(x), but instead are promised 
that A{x) = g(s x ), where s x G {0, l} n is the secret string for another Fourier sampling 
problem. A query then takes the form (x, y), and produces as output A x (y) = s x -y (mod 2). 
As before, we are promised that there exists an s such that A (x) = s ■ x (mod 2) for all x, 
meaning that the s x strings must be chosen consistent with this promise. Again we must 
return g (s). 

Continuing, we can define height- /i recursive Fourier sampling, or RFS^, recur- 
sively as follows. We are given oracle access to a function A (x\, . . . , xh) for all x\, . . . , Xh G 
{0,1}™, and are promised that 

(1) for each fixed x*, A (x\,X2, ■ ■ ■ , Xh) is an instance of RFS^-i on X2, ■ ■ ■ , Xh, having 
answer bit b(x*) G {0, 1}; and 

(2) there exists a secret string s G {0, l} n such that b (x\) = s ■ x\ (mod 2) for each x\. 

Again the answer bit to be returned is g(s). Note that g is assumed to be 
the same everywhere in the tree — though using the techniques in this chapter, it would 
be straightforward to generalize to the case of different g's. As an example that will be 
used later, we could take g (s) — fi'mods 00 > where 5mod3 

(s) = if \s\ = 0(mod3) and 
5mod3 (s) = 1 otherwise, and \s\ denotes the Hamming weight of s. We do not want to take 
g to be the parity of s, for if we did then g (s) could be evaluated using a single query. To 
see this, observe that if x is the all-l's string, then s ■ x (mod 2) is the parity of s. 

By an 'input,' I will mean a complete assignment for the RFS oracle (that is, 
A (xi, . . . , Xh) for all x\, . . . , Xh). I will sometimes refer also to an 'RFS tree,' where each 
vertex at distance i from the root has a label x%, . . . ,xg. If i = h then the vertex is a leaf; 
otherwise it has 2 n children, each with a label xi,...,X£, x^+i for some X£ + \. The subtrees 
of the tree just correspond to the sub- instances of RFS. 

Bernstein and Vazirani [HE] showed that RFSi og n ; or RFS with height logn (all 
logarithms are base 2), is solvable on a quantum computer in time polynomial in n. I 
include a proof for completeness. Let A = (^4n) n >o be an oracle that, for each n, encodes an 
instance of RFSi og n whose answer is Then let La be the unary language {0 n : ^ n = 1}. 

Lemma 43 L A G EQP A C BQP A for any choice of A. 

Proof. RFSi can be solved exactly in four queries, with no garbage bits left over. 
The algorithm is as follows: first prepare the state 

x<={0,l} n 
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using one query to A. Then apply a phase flip conditioned on A (x) = 1, and uncompute 
A (x) using a second query, obtaining 

2 -n/2 £ (-1)^)^). 
xe{o,i} n 

Then apply a Hadamard gate to each bit of the \x) register. It can be checked that the 
resulting state is simply |s). One can then compute \s) \g (s)) and uncompute \s) using 
two more queries to A, to obtain \g(s)). To solve RFS\ ogn (n), we simply apply the 
above algorithm recursively at each level of the tree. The total number of queries used is 

4 logn _ n 2_ 

One can further reduce the number of queries to 2 lo s n = n by using the "one-call 
kickback trick," described by Cleve et al. ;87 a . Here one prepares the state 

xe{o,ir V 

and then exclusive-O-R's A (x) into the second register. This induces the desired phase 
without the need to uncompute A (x). However, one still needs to uncompute \s) 

after computing | g (s)). ■ 

A remark on notation: to avoid confusion with subscripts, I denote the i th bit of 

string x by x [i] . 

9.2 Quantum Lower Bound 

In this section I prove a lower bound on the quantum query complexity of RFS. Crucially, 
the bound should hold for any nontrivial one-bit function of the secret strings, not just a 
specific function such as g m od3 (s) defined in Section R7TT1 Let RFS^ be height-/i recursive 
Fourier sampling in which the problem at each vertex is to return g(s). The following 
notion turns out to be essential. 

Definition 44 Given a Boolean function g : {0, l} n — * {0, 1} (partial or total), the nonpar- 
ity coefficient fi (g) is the largest /i* for which there exist distributions Dq over the 0-inputs 
of g, and D\ over the 1-inputs, such that for all z £ {0, l} n , all 0-inputs so, and all 1-inputs 
si, we have 

Pr [sq • z = si • z (mod 2) V s\ ■ z = so • z (mod 2)] > /x* . 

so£Do,sieDi 

Loosely speaking, the nonparity coefficient is high if there exist distributions over 
0-inputs and 1-inputs that make g far from being a parity function of a subset of input bits. 
The following proposition develops some intuition about fi(g). 

Proposition 45 

(i) /J-(g) < 3/4 for all nonconstant g. 
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(ii) fj, (g) = if and only if g can be written as the parity (or the NOT of the parity) of a 
subset B of input bits. 

Proof. 

(i) Given any sq 7^ s\ and s\ 7^ so, a uniform random z will satisfy 

Pr [so • z ~s\ ■ z (mod 2) A s\ ■ z ^ so • z (mod 2)1 > — . 

z 4 

(If so @ si = s\ © S"o then this probability will be 1/2; otherwise it will be 1/4.) So 
certainly there is a fixed choice of z that works for random sq and si. 

(ii) For the 'if direction, take z [i] = 1 if and only if z E B, and choose so and si arbitrarily. 
This ensures that //* = 0. For the 'only if direction, if /j, (g) = 0, we can choose Dq 
to have support on all 0-inputs, and D\ to have support on all 1-inputs. Then there 
must be a z such that sq ■ z is constant as we range over 0-inputs, and si ■ z is constant 
as we range over 1-inputs. Take i 6 B if and only if z [f] = 1. 

■ 

If (g) = 0, then RFS^ is easily solvable using a single classical query. Theorem 
07] will show that for all g (partial or total), 

^^-"((tt^))'" 2 ). 

where Q 2 is bounded-error quantum query complexity as defined in Section [5.11 In other 
words, any RFS problem with fj, bounded away from requires a number of queries expo- 
nential in the tree height h. 

However, there is an essential further part of the argument, which restricts the 
values of fi (g) itself. Suppose there existed a family {g n } of 'pseudoparity' functions: that 
is, fj>(g n ) > for all n, yet fi(g n ) = 0(1/ log n). Then the best bound obtainable from 
Theorem El would be £1 [{1 + 1/ log n) h ^ 2 ^j , suggesting that RFSj^ n might still be solvable 
in quantum polynomial time. On the other hand, it would be unclear a priori how to solve 
RFSj^a n classically with a logarithmic number of alternations. Theorem \%$\ will rule out 
this scenario by showing that pseudoparity functions do not exist: if /U (g) < 0.146 then g 
is a parity function, and hence /i (g) = 0. 

The theorem of Ambainis that we need is his "most general" lower bound from |27j . 
which he introduced to show that the quantum query complexity of inverting a permutation 
is £1 (\/n) , and which we used already in Chapter[7J Let us restate the theorem in the present 
context. 

Theorem 46 (Ambainis) Let X C / _1 (0) and Y C f~ l (1) be sets of inputs to function 
f. Let R(x,y) > be a symmetric real-valued relation function, and for x G X , y G Y , 
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and index i, let 



e(x,i) 
o(y,i) 



J2x*t=X : x*[i\^y[i] R ( X * iV) 



where the denominators are all nonzero. Then Q 2 (/) = 0(l/v) where 
v = max \J 9 (x, i) 9 {y, i). 

xeX, yeY, i : R(x,y)>0, x[i]=/=y[i] 

We are now ready to prove a lower bound for RFS. 
Theorem 47 For all g (partial or total), Q 2 (RFSfJ = ft ((1 - /x {g))~ h/2 ^j ■ 

Proof. Let X be the set of all 0- inputs to RFS?, and let Y be the set of all 1- 
inputs. We will weight the inputs using the distributions Dq, D\ from the definition of the 
nonparity coefficient \x (g). For all x £ X, let p (x) be the product, over all vertices v in the 
RFS tree for x, of the probability of the secret string s at v, if s is drawn from D g u\ (where 
we condition on v's output bit, g (s)). Next, say that x £ X and y £ Y differ minimally if, 
for all vertices v of the RFS tree, the subtrees rooted at v are identical in x and in y whenever 
the answer bit g (s) at v is the same in x and in y. If x and y differ minimally, then we 
will set R (x, y) = p (x) p (y); otherwise we will set R (x, y) = 0. Clearly R (x, y) = R (y, x) 
for all x G X, y G Y. Furthermore, we claim that 9 (x, i) 9 (y, i) < (1 — fi {g)) h for all x, y 
that differ minimally and all i such that x[i] ^ y [i]. For suppose y* £ Y is chosen with 
probability proportional to R (x, y*), and x* £ X is chosen with probability proportional to 
R (x*,y). Then 9 (x, i) 9 (y, i) equals the probability that we would notice the switch from 
x to y* by monitoring i, times the probability that we would notice the switch from y to 
x*. 

Let Vj be the j th vertex along the path in the RFS tree from the root to the leaf 
vertex i, for all j £ {l,...,h}. Also, let Zj £ {0,1}™ be the label of the edge between 
Vj-i and Vj, and let s x j and s y j be the secret strings at Vj in x and y respectively. Then 
since x and y differ minimally, we must have g (s x ,j) ^ g (sy,j) for all j — for otherwise the 
subtrees rooted at Vj would be identical, which contradicts the assumption x[i] / y[i]. 
So we can think of the process of choosing y* as first choosing a random s' x l from D\ 
so that 1 = g(s' xl ) ^ g (s x ,i) = 0, then choosing a random s' x 2 horn Di_ g ( Sx 2 ) so that 
9 { s x 2) 7^ 9 ( s x,2), and so on. Choosing x* is analogous, except that whenever we used Dq in 
choosing y* we use D\, and vice versa. Since the 2h secret strings s X) i, . . . , s x ^, s Vt i, . . . , s y ^ 
to be updated are independent of one another, it follows that 

h 

Pr [y* [i] / x [i]} Pr [x* [i] / y [i]] = [J Pr [a • ^ ^ s xJ • Pr [s ■ Zj a yJ • ^] 

3=1 
h 

< 11(1-1*07)) 

j'=i 

= (l-»(9)) k 
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by the definition of fx (g). Therefore 

q 2 {RFS 9 h )=n((i- f ,(g)r h/2 



by Theorem 1461 ■ 

Before continuing further, let me show that there is a natural, explicit choice of 
g — the function g mo d3(s) from Section 19.11 — for which the nonparity coefficient is almost 
3/4. Thus, for g = g mo d3, the algorithm of Lemma IIHI is essentially optimal. 

Proposition 48 \i (<7 m od3) = 3/4 — O (1/n). 

Proof. Let n > 6. Let Dq be the uniform distribution over all s with \s\ = 3 [n/6\ 
(so 5mod3 (s) = 0); likewise let D\ be the uniform distribution over s with |s| = 3 [n/6\ + 2 
(flmod3 (s) = 1). We consider only the case of s drawn from Dq; the I?i case is analogous. 
We will show that for any z, 



Pr \s-z = 0]-- 
seD 1 J 2 



oil 



■/?. 



(all congruences are mod 2). The theorem then follows, since by the definition of the 
nonparity coefficient, given any z the choices of sq £ Dq and s± £ D\ are independent. 

Assume without loss of generality that 1 < \z\ < n/2 (if \z\ > n/2, then replace z 
by its complement). We apply induction on \z\. If \z\ = 1, then clearly 

Pr [s ■ z = 0] = 3 I n/6l In = - ± O f - 
' 2 \ 

For \z\ > 2, let z = z\ © 22, where z 2 contains only the rightmost 1 of z and z\ contains all 
the other l's. Suppose the proposition holds for \z\ — 1. Then 

Pr [s ■ z = 0] = Pr [s ■ Z\ = 0] Pr [s ■ z 2 = 0\s ■ z x = 0] + 
Pr [s ■ z\ = 1] Pr [s • Zi = l\s ■ z\ = 1] , 

where ^ 

Pr [s • zi = 0] = - + a, Pr [s ■ z\ = 1] = - - a 

for some |a| = O (1/n). Furthermore, even conditioned on s ■ Z\, the expected number of 
l's in s outside of Z\ is (n — |zi|) /2db O (1) and they are uniformly distributed. Therefore 

Pr [s ■ z-i = b\s ■ z\ = b] = - + Pb 

for some , = O (1/n). So 

Pr [s ■ z = 0] = - + — + aP - — - afc. 

= i ± o(I 

2 V n 

■ 

Finally it must be shown that pseudoparity functions do not exist. That is, if g 
is too close to a parity function for the bound of Theorem to apply, then g actually is a 
parity function, from which it follows that RFS^ admits an efficient classical algorithm. 
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Theorem 49 Suppose fi (g) < 0.146. Then g is a parity function (equivalently, (i (g) = 0). 

Proof. By linear programming duality, there exists a joint distribution D over 
z G {0, l} n , 0-inputs sb G g^ 1 (0), and 1-inputs si G g^ 1 (1), such that for all so G g^ 1 (0) 
and si G sT 1 (1), 

Pr [so ■ z = si ■ z (mod 2) V si • z = sb • z (mod 2)] < fi(g) . 

(z,so,si)eT> 

Furthermore sb • z ^ si • z (mod 2), since otherwise we could violate the hypothesis by taking 
so = so or si = si. It follows that there exists a joint distribution V over z G {0, l} n and 
b G {0, 1} such that 



for all s G g 1 (0), and 



Pr [s • z = 6 (mod 2)1 > 1 - (i(g) 

(z,b)£T>> 



Pr [s • z ^ 6 (mod 2)] > 1 - fi(g) 
(z,b)£T>> 



for all s G g 1 (1). But this implies that g is a bounded-error threshold function of parity 
functions. More precisely, there exist probabilities p z , summing to 1, as well as b z G {0, 1} 
such that for all s G {0, l} n , 



2e{o,ir 



>l-fi(g) if 5 (s) = l 
<H{ 9 ) if 5 (s) = 0. 



We will consider var the variance of the above quantity (s) if s is drawn uniformly 
at random from {0, l} ra . First, if p z > 1/2 for any z, then g (s) = (s • z) © b z is a parity 
function and hence /U (5) = 0. So we can assume without loss of generality that p z < 1/2 for 
all z. Then since s is uniform, for each z\ 7^ Z2 we know that (s • z\) © 6 2l and (s • Z2) © 
are pairwise independent {0, 1} random variables, both with expectation 1/2. So 

1„ 2 1 ( 2 



™m = - 4 z z Pt< l [{- 2 ) + V2 

On the other hand, since ^ (s) is always less than /j, or greater than 1 — fi, 

var(^) > Q-M 

Combining, 

2-V2 
H > f — > 0.146. 
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9.3 Open Problems 

An intriguing open problem is whether Theorem 23 can be proved using the polynomial 
method of Beals et al. |45j . rather than the adversary method of Ambainis [27] . It is known 
that one can lower-bound polynomial degree in terms of block sensitivity, or the maximum 
number of disjoint changes to an input that change the output value. The trouble is that 
the RFS function has block sensitivity 1 — the "sensitive blocks" of each input tend to have 
small intersection, but are not disjoint. For this reason, I implicitly used the quantum 
certificate complexity of Chapter |H] rather than block sensitivity to prove a lower bound. 

I believe the constant of Theorem 021 can be improved. The smallest nonzero \i (g) 
value I know of is attained when n = 2 and g = OR (s [1] , s [2]): 

Proposition 50 //(OR) = 1/3. 

Proof. First, /x (OR) > 1/3, since D\ can choose s [1] s [2] to be 01, 10, or 11 
each with probability 1/3; then for any z / and the unique 0-input sb = 00, we have 
si ■ z so • z with probability at most 2/3. Second, \i (OR) < 1/3, since applying linear 
programming duality, we can let the pair (z, si) equal (01,01), (10,10), or (11,10) each 
with probability 1/3. Then = sq-z^'sx-z = 1 always, and for any 1-input s\, we have 
si • z = 1 ^ so • z with probability 2/3. ■ 

Finally, I conjecture that uncomputation is unavoidable not just for RFS but for 
many other recursive problems, such as game-tree evaluation. Formally, the conjecture is 
that the quantum query complexity of evaluating a game tree increases exponentially with 
depth as the number of leaves is held constant, even if there is at most one winning move 
per vertex (so that the tree can be evaluated with zero probability of error) . 
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Chapter 10 

Limitations of Quantum Advice 



How many classical bits can "really" be encoded into n qubits? Is it n, because 
of Holevo's Theorem |145| : 2n, because of dense quantum coding [JBl and quantum telepor- 
tation [S3]; exponentially many, because of quantum fingerprinting |75j : or infinitely many, 
because amplitudes are continuous? The best general answer to this question is probably 
mu, the Zen word that "unasks" a question. 1 

To a computer scientist, however, it is natural to formalize the question in terms 
of quantum one-way communication complexity |43l 1751 [1541 I250| . The setting is as follows: 
Alice has an n-bit string x, Bob has an m-bit string y, and together they wish to evaluate 
f (x,y) where / : {0, l} n x {0, l} m — > {0,1} is a Boolean function. After examining her 
input x = x\ . . . x n , Alice can send a single quantum message p x to Bob, whereupon Bob, 
after examining his input y = y\ . . . y m , can choose some basis in which to measure p x . 
He must then output a claimed value for f(x,y). We are interested in how long Alice's 
message needs to be, for Bob to succeed with high probability on any x, y pair. Ideally the 
length will be much smaller than if Alice had to send a classical message. 

Communication complexity questions have been intensively studied in theoretical 
computer science (see the book of Kushilevitz and Nisan |160| for example). In both the 
classical and quantum cases, though, most attention has focused on two-way communica- 
tion, meaning that Alice and Bob get to send messages back and forth. I believe that 
the study of one-way quantum communication presents two main advantages. First, many 
open problems about two-way communication look gruesomely difficult — for example, are 
the randomized and quantum communication complexities of every total Boolean function 
polynomially related? We might gain insight into these problems by tackling their one-way 
analogues first. And second, because of its greater simplicity, the one-way model more 
directly addresses our opening question: how much "useful stuff' can be packed into a 
quantum state? Thus, results on one-way communication fall into the quantum informa- 
tion theory tradition initiated by Holevo |145j and others, as much as the communication 
complexity tradition initiated by Yao |247j . 

Related to quantum one-way communication is the notion of quantum advice. As 
pointed out by Nielsen and Chuang [182, p. 203], there is no compelling physical reason to 

1 Another mil-worthy question is, "Where does the power of quantum computing come from? Superpo- 
sition? Interference? The large size of Hilbert space?" 
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assume that the starting state of a quantum computer is a computational basis state: 2 

[W]e know that many systems in Nature 'prefer' to sit in highly entangled states 
of many systems; might it be possible to exploit this preference to obtain extra 
computational power? It might be that having access to certain states allows 
particular computations to be done much more easily than if we are constrained 
to start in the computational basis. 

One way to interpret Nielsen and Chuang's provocative question is as follows. 
Suppose we could request the best possible starting state for a quantum computer, know- 
ing the language to be decided and the input length n but not knowing the input itself. 3 
Denote the class of languages that we could then decide by BQP/qpoly — meaning quan- 
tum polynomial time, given an arbitrarily-entangled but polynomial-size quantum advice 
state. 4 How powerful is this class? If BQP/qpoly contained (for example) the NP-complete 
problems, then we would need to rethink our most basic assumptions about the power of 
quantum computing. We will see later that quantum advice is closely related to quantum 
one-way communication, since we can think of an advice state as a one-way message sent 
to an algorithm by a benevolent "advisor." 

This chapter is about the limitations of quantum advice and one-way communi- 
cation. It presents three contributions which are basically independent of one another. 

First, Section ITTH1 shows that D 1 (/) = O (mQ\ (/) log Qj (/)) for any Boolean 
function /, partial or total. Here D 1 (/) is deterministic one-way communication com- 
plexity, Q2 (/) is bounded-error one-way quantum communication complexity, and m is the 
length of Bob's input. Intuitively, whenever the set of Bob's possible inputs is not too large, 
Alice can send him a short classical message that lets him learn the outcome of any mea- 
surement he would have wanted to make on the quantum message p x . It is interesting that 
a slightly tighter bound for total functions — D 1 (/) = O {mQ\ (/)) — follows easily from a 
result of Klauck |154j together with a lemma of Sauer [2l2j about VC-dimension. However, 
the proof of the latter bound is highly nonconstructive, and seems to fail for partial /. 

Using my communication complexity result, Section ri().2.1l shows that BQP/qpoly C 
PP/poly — in other words, BQP with polynomial-size quantum advice can be simulated in 
PP with polynomial-size classical advice. 5 This resolves a question of Harry Buhrman 
(personal communication), who asked whether quantum advice can be simulated in any 
classical complexity class with short classical advice. A corollary of this containment is 
that we cannot hope to show an unrelativized separation between quantum and classical 
advice (that is, that BQP/poly 7^ BQP/qpoly), without also showing that PP does not have 
polynomial-size circuits. 

2 One might object that the starting state is itself the outcome of some computational process, which 
began no earlier than the Big Bang. However, (1) for all we know highly entangled states were created in 
the Big Bang, and (2) 14 billion years is a long time. 

3 If we knew the input, we would simply request a starting state that contains the right answer! 

4 BQP/qpoly might remind readers of a better-studied class called QMA (Quantum Merlin- Arthur) . But 
there are two key differences: first, advice can be trusted while proofs cannot; second, proofs can be tailored 
to a particular input while advice cannot. 

5 Given a complexity class C, the class C/poly consists of all languages decidable by a C machine, given 
a polynomial-size classical advice string that depends only on the input length. See Chapter [3] for more 
information about the complexity classes mentioned in this chapter. 
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What makes this result surprising is that, in the minds of many computer scien- 
tists, a quantum state is basically an exponentially long vector. Indeed, this belief seems 
to fuel skepticism of quantum computing (see Goldreich [128] for example). But given an 
exponentially long advice string, even a classical computer could decide any language what- 
soever. So one might imagine naively that quantum advice would let us solve problems 
that are not even recursively enumerable given classical advice of a similar size! The failure 
of this naive intuition supports the view that a quantum superposition over n-bit strings is 
"more similar" to a probability distribution over n-bit strings than to a 2 n -bit string. 

The second contribution of the chapter, in Section 110.31 is an oracle relative to 
which NP is not contained in BQP/qpoly. Underlying this oracle separation is the first 
correct proof of a direct product theorem for quantum search. Given an iV-item database 
with K marked items, the direct product theorem says that if a quantum algorithm makes 
o ^y/N^j queries, then the probability that the algorithm finds all K of the marked items 
decreases exponentially in K. Notice that such a result does not follow from any existing 
quantum lower bound. Earlier Klauck 155 had claimed a weaker direct product theorem, 
based on the hybrid method of Bennett et al. [51j. in a paper on quantum time-space 
tradeoffs for sorting. Unfortunately, Klauck's proof is incorrect. The proof uses the 
polynomial method of Beals et al. [IS], with the novel twist that we examine all higher 
derivatives of a polynomial (not just the first derivative). The proof has already been 
improved by Klauck, Spalek, and de Wolf [156] . who were able to recover and even extend 
Klauck's original claims about quantum sorting. 

The final contribution, in Section 110.41 is a new trace distance method for proving 
lower bounds on quantum one-way communication complexity. Previously there was only 
one basic lower bound technique: the VC-dimension method of Klauck 154 j, which relied 
on lower bounds for quantum random access codes due to Ambainis et al. |32j and Nayak 
180 . Using VC-dimension one can show, for example, that Qjj, (DISJ) = Q (n), where the 
disjointness function DISJ : {0, l} n x {0, l} ra —* {0, 1} is defined by DISJ (x, y) = 1 if and 
only if XiUi = for all i G {1, . . . , n}. 

For some problems, however, the VC-dimension method yields no nontrivial quan- 
tum lower bound. Seeking to make this point vividly, Ambainis posed the following prob- 
lem. Alice is given two elements x,y of a finite field ¥ p (where p is prime); Bob is given 
another two elements a,b G ¥ p . Bob's goal is to output 1 if y = ax + b (modp) and other- 
wise. For this problem, the VC-dimension method yields no randomized or quantum lower 
bound better than constant. On the other hand, the well-known fingerprinting protocol 
for the equality function 192 seems to fail for Ambainis' problem, because of the interplay 
between addition and multiplication. So it is natural to conjecture that the randomized 
and even quantum one-way complexities are (logp) — that is, that no nontrivial protocol 
exists for this problem. 

Ambainis posed a second problem in the same spirit. Here Alice is given x G 
{1, . . . , N}, Bob is given y G {1, . . . , N}, and both players know a subset S C {1, . . . , N}. 
Bob's goal is to decide whether x — y G S where subtraction is modulo N. The conjecture 
is that if S is chosen uniformly at random with \S\ about \/~N, then with high probability 
the randomized and quantum one-way complexities are both (log N). 

Using the trace distance method, I am able to show optimal quantum lower bounds 
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for both of Ambainis' problems. Previously, no nontrivial lower bounds were known even 
for randomized protocols. The key idea is to consider two probability distributions over 
Alice's quantum message p x . The first distribution corresponds to x chosen uniformly at 
random; the second corresponds to x chosen uniformly conditioned on / (x,y) = 1. These 
distributions give rise to two mixed states p and p y , which Bob must be able to distinguish 
with non-negligible bias assuming he can evaluate / (x, y). I then show an upper bound on 
the trace distance \\p — Py\\ tl , which implies that Bob cannot distinguish the distributions. 

Theorem 1651 gives a very general condition under which the trace distance method 
works; Corollaries EU and then show that the condition is satisfied for Ambainis' two 
problems. Besides showing a significant limitation of the VC-dimension method, I hope 
the new method is a non-negligible step towards proving that R2 (/) = O (Q| (/)) for all 
total Boolean functions /, where R2 (/) is randomized one-way complexity. I conclude in 
Section [1U.5I with some open problems. 

10.1 Preliminaries 

Following standard conventions, I denote by D 1 (/) the deterministic one-way complexity 
of /, or the minimum number of bits that Alice must send if her message is a function of x. 
Also, R2 (/), the bounded-error randomized one-way complexity, is the minimum k such 
that for every x,y, if Alice sends Bob a fc-bit message drawn from some distribution T> x , 
then Bob can output a bit a such that a = f (x,y) with probability at least 2/3. (The 
subscript 2 means that the error is two-sided.) The zero-error randomized complexity 
Rq (/) is similar, except that Bob's answer can never be wrong: he must output / (x, y) 
with probability at least 1/2 and otherwise declare failure. 

The bounded-error quantum one-way complexity Q2 (/) is the minimum k such 
that, if Alice sends Bob a mixed state p x of k qubits, there exists a joint measurement of p x 
and y enabling Bob to output an a such that a = f (x, y) with probability at least 2/3. The 
zero-error and exact complexities Qq (/) and (/) are defined analogously. Requiring 
Alice's message to be a pure state would increase these complexities by at most a factor of 
2, since by Kraus' Theorem, every fc-qubit mixed state can be realized as half of a 2fc-qubit 
pure state. (Winter |243j has shown that this factor of 2 is tight.) See Klauck |154j 
for more detailed definitions of quantum and classical one-way communication complexity 
measures. 

It is immediate that D 1 (/) > Rj (/) > R^ (/) > (/), that R^j (/) > (/) > 
Ql (/), and that D 1 (/) > (/). Also, for total /, Duris et al. QUI] showed that R^ (/) = 
6 (D 1 (/)), while Klauck showed that (/) = D 1 (/) and that (/) = G (D 1 (/)). 
In other words, randomized and quantum messages yield no improvement for total functions 
if one is unwilling to tolerate a bounded probability of error. This remains true even if 
Alice and Bob share arbitrarily many EPR pairs |154j . As is often the case, the situation 
is dramatically different for partial functions: there it is easy to see that Rq (/) can be 
constant even though D 1 (/) = Q(n): let f (x,y) = 1 if x\y\ + ■■■ + x n / 2 y n /2 > n/4 
and x n/2+ iy n /2+i + • • • + x n y n = and / (x,y) = if xiyi + • • • + x n/2 y n /2 = and 
x n/2+iVn/2+i + ' ' ' + x n y n > n/4, promised that one of these is the case. 

Moreover, Bar-Yossef, Jayram, and Kerenidis |33] have almost shown that (/) 
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can be exponentially smaller than R 2 (/). In particular, they proved that separation 
for a relation, meaning a problem for which Bob has many possible valid outputs. For a 
partial function / based on their relation, they also showed that (/) = O (logn) whereas 
Rq (/) = O (\/n); and they conjectured (but did not prove) that R 2 (/) = {s/n)- 



10.1.1 Quantum Advice 

Informally, BQP/qpoly is the class of languages decidable in polynomial time on a quantum 
computer, given a polynomial-size quantum advice state that depends only on the input 
length. I now make the definition more formal. 

Definition 51 A language L is in BQP/qpoly if there exists a polynomial- size quantum 
circuit family {C n } n>1 , and a polynomial- size family of quantum states {\4>n)} n >i, such 
that for all x G {0, l} n 



(i) If x G L then q (x) > 2/3, where q (x) is the probability that the first qubit is measured 
to be |1), after C n is applied to the starting state \x) <S) |0 • • • 0) <g) \4>n)- 

(ii) IfxgL then q(x) < 1/3. 6 

The central open question about BQP/qpoly is whether it equals BQP/poly, or 
BQP with polynomial-size classical advice. We do have a candidate for an oracle problem 
separating the two classes: the group membership problem of Watrous 239 , which I will 
describe for completeness. Let G n be a black box group 7 whose elements are uniquely 
labeled by n-bit strings, and let H n be a subgroup of G n . Both G n and H n depend only on 
the input length n, so we can assume that a nonuniform algorithm knows generating sets 
for both of them. Given an element x G G n as input, the problem is to decide whether 
x G H n . 

If G n is "sufficiently nonabelian" and H n is exponentially large, we do not know 
how to solve this problem in BQP or even BQP/poly. On the other hand, we can solve it 
in BQP/qpoly as follows. Let the quantum advice state be an equal superposition over all 
elements of H n : 

= -/Aft E \v) 



yeH n 



We can transform \H n ) into 

\ xH n) = /r-r—r Yl \ X V) 



yeH n 



by mapping \y) |0) to \y) \xy) to \y © x \xy) = |0) \xy) for each y G H n . Our algorithm 

will first prepare the state (|0) \H n ) + |1) \xH n )) /y/2, then apply a Hadamard gate to the 

6 If the starting state is \x) CS> |0 • ■ • 0} <S> \tp) for some \ip) ^ \ip n }, then the acceptance probability is not 
required to lie in [0, 1/3] U [2/3, 1]. Therefore, what I call BQP/qpoly corresponds to what Nishimura and 
Yamakami 186 call BQP/*Qpoly. Also, it does not matter whether the circuit family {C n } n>1 is uniform, 
since we are giving it advice anyway. 

7 In other words, we have a quantum oracle available that given x, y £ G„ outputs xy (i.e. exclusive-OR's 
xy into an answer register), and that given x G G„ outputs a; -1 . 
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first qubit, and finally measure the first qubit in the standard basis, in order to distinguish 
the cases \H n ) = \xH n ) and {H n \xH n ) = with constant bias. The first case occurs 
whenever x £ H n , and the second occurs whenever x ^ H n . 

Although the group membership problem provides intriguing evidence for the 
power of quantum advice, we have no idea how to show that it is not also solvable us- 
ing classical advice. Indeed, apart from a result of Nishimura and Yamakami 186 j that 
EESPACE (£_ BQP/qpoly, essentially nothing was known about the class BQP/qpoly before 
the work reported here. 

10.1.2 The Almost As Good As New Lemma 

The following simple lemma, which was implicit in jH2j , is used three times in this chapter — 
in Theorems 1561 ISTl and 1641 It says that, if the outcome of measuring a quantum state p 
could be predicted with near-certainty given knowledge of p, then measuring p will damage 
it only slightly. Recall that the trace distance \\p — <7|| tr between two mixed states p and a 
equals ^ ^ |Aj|, where Ai, . . . , Ajy are the eigenvalues of p — a. 

Lemma 52 Suppose a 2-outcome measurement of a mixed state p yields outcome with 
probability 1—e. Then after the measurement, we can recover a state p such that ||p — p\\ tI < 
yfe. This is true even if the measurement is a POVM (that is, involves arbitrarily many 
ancilla qubits). 

Proof. Let be a purification of the entire system (p plus ancilla). We can rep- 
resent any measurement as a unitary U applied to followed by a 1-qubit measurement. 
Let \ipo) and be the two possible pure states after the measurement; then (c^ol^i) = 
and U = a \ipo) + (3 \ip±) for some a, f3 such that \a\ 2 = 1 — e and \(5\ 2 = e. Writing the 
measurement result as a = (1 — e) \ipo) (<^o| + £ (y>i|> it is easy to show that 

\\a-U\iP) {^\U-\ r = Ve(l-e). 

So applying f/ -1 to a, 

\\U- l aU-\i>) M|| te = v^(l-e). 

Let p be the restriction of U~ l o~U to the original qubits of p. Theorem 9.2 of Nielsen 
and Chuang |182j shows that tracing out a subsystem never increases trace distance, so 
||p-p|| tr < y/e(i-e) < y/e. m 

10.2 Simulating Quantum Messages 

Let / : {0, 1}™ x {0, l} m — > {0, 1} be a Boolean function. In this section I first combine 
existing results to obtain the relation D 1 (/) = O {mQ\ (/)) for total /, and then prove 
using a new method that D 1 (/) = O (mQ\ (/) log (/)) for all / (partial or total). 

Define the communication matrix Mf to be a 2" x 2 m matrix with / (x, y) in the 
x th row and y th column. Then letting rows (/) be the number of distinct rows in Mf, the 
following is immediate. 
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Proposition 53 For total f , 

D 1 (/) = flog a rows(/)l, 
Ql (/) = « (log log rows (/)). 

Also, let the VC-dimension VC (/) equal the maximum k for which there exists a 
2™ x k submatrix M g of Mf with rows (5) = 2 k . Then Klauck |154j observed the following, 
based on a lower bound for quantum random access codes due to Nayak |18L)j . 

Proposition 54 (Klauck) (/) = O (VC (/)) for total f. 

Now let cols (/) be the number of distinct columns in Mf. Then Proposition 1541 
yields the following general lower bound: 

Corollary 55 D 1 (/) = O (mQ\ (/)) for total f, where m is the size of Bob 's input. 

Proof. It follows from a lemma of Sauer 212] that 

VC(/) 



rows(/)< £ ( COlS . (/) ) < cols 



*(/) 



VC(/)+l 



8=0 

Hence VC (/) > log cols(/) rows (/)-!, so 



n 



D 1 (/) 



??? 



In particular, D 1 (/) and Q<j> (/) are polynomially related for total /, whenever 
Bob's input is polynomially smaller than Alice's, and Alice's input is not "padded." More 
formally, D 1 (/) = O ^Q^ (Z) 1 ^ 1- C ^J whenever m = O (n c ) for some c < 1 and rows (/) = 2 n 

(i.e. all rows of Mf are distinct). For then D 1 (/) = n by Proposition and Q<j> (/) = 
n (D 1 (/) /n c ) = n (n 1 '") by Corollary ESI 

I now give a new method for replacing quantum messages by classical ones when 
Bob's input is small. Although the best bound I know how to obtain with this method — 
D : (/) = O [mQl(f) log Q£(/))— is slightly weaker than the D 1 (/) = O [mQ\{f)) of 
Corollary 1551 our method works for partial Boolean functions as well as total ones. It 
also yields a (relatively) efficient procedure by which Bob can reconstruct Alice's quantum 
message, a fact I will exploit in Section ri0.2.1l to show BQP/qpoly C PP/poly. By contrast, 
the method based on Sauer's Lemma seems to be nonconstructive. 



Theorem 56 D 1 (/) = O [mQ\ (/) logQ^ (/)) for all f (partial or total). 
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Proof. Let / : T> — > {0, 1} be a partial Boolean function with T> C {0, l} n x 
{0, l} m , and for all x £ {0, 1}™, let V x = {y £ {0, l} m : (x,y) £ V}. Suppose Alice can 
send Bob a quantum state with Qjj, (/) qubits, that enables him to compute / (x, y) for any 
y £ T> x with error probability at most 1/3. Then she can also send him a boosted state p 
with K = O (Q2 (/) log Q2 (/)) qubits, such that for all y £ V x , 

\P y (p)-f(x,y)\< 



Q2 (/) 



10 ' 



where P y (p) is the probability that some measurement A [y] yields a '1' outcome when 
applied to p. We can assume for simplicity that p is a pure state \ip) (if)\; as discussed in 
Section [10. 1[ this increases the message length by at most a factor of 2. 

Let y be any subset of V x satisfying \y\ < Q| (/) 2 - Then starting with p, Bob 
can measure A [y] for each y £ y in lexicographic order, reusing the same message state 
again and again but uncomputing whatever garbage he generates while measuring. Let pt 
be the state after the t th measurement; thus po = p = {ip\- Since the probability that 
Bob outputs the wrong value of / (x,y) on any given y is at most I/Q2 (/) °> Lemma IS^l 
implies that 



\Pt ~ Pt-l Htr ^ 



1 1 



V Q^(/) 10 Q^(/) 5 ' 

Since trace distance satisfies the triangle inequality, this in turn implies that 

t 1 

IIPt "" lltr -Q[W-Ql(7?' 

Now imagine an "ideal scenario" in which pt = p for every t; that is, the measurements do 
not damage p at all. Then the maximum bias with which Bob could distinguish the actual 
from the ideal scenario is 



po® ~P® m 



< jy\ < 1 



tr 



Q^(/) 3 " Q2C/O 



So by the union bound, Bob will output / (x, y) for every y £ y simultaneously with 
probability at least 

!_W _1 >09 

for sufficiently large Q2 (/). 

Now imagine that the communication channel is blocked, so Bob has to guess what 
message Alice wants to send him. He does this by using the X-qubit maximally mixed 
state I in place of p. We can write I as 



1 2 



where , . . . , \ tp2 K ) are orthonormal vectors such that \tp\) = \ip). So if Bob uses the same 
procedure as above except with / instead of p, then for any y C V x with |3^| < Q2 (f) 2 , he 
will output / (x,y) for every y £ y simultaneously with probability at least 0.9/2^. 
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The classical simulation of the quantum protocol is now as follows. Alice's mes- 
sage to Bob consists of T < K inputs y%, . . . , y? € T> x , together with / (x, y±) ,...,/ (x, yr)- 8 
Thus the message length is mT + T = O (mQ\ (/) log Q2 (/)) • Here are the semantics of 
Alice's message: "Bob, suppose you looped over all y 6 T> x in lexicographic order; and for 
each one, guessed that f(x,y) = round (P y (I)), where round (p) is 1 if p > 1/2 and if 
p < 1/2. Then y\ is the first y for which you would guess the wrong value of f (x,y). In 
general, let It be the state obtained by starting from I and then measuring A [yi] , . . . , A [y t ] 
in that order, given that the outcomes of the measurements are f (x, y\) ,...,/ (x, yt) re- 
spectively. (Note that It is not changed by measurements of every y £ T> x up to yt, only by 
measurements of y±, . . . , yt .) If you looped over all y £ V x in lexicographic order beginning 
from yt, then yt+i is the first y you would encounter for which round (P y (It)) / f (x,y)." 

Given the sequence of yts as defined above, it is obvious that Bob can compute 
f(x,y) for any y £ V x . First, if y = yt for some t, then he simply outputs f(x,yt). 
Otherwise, let t* be the largest t for which yt < y lexicographically. Then Bob prepares 
a classical description of the state It* — which he can do since he knows yi,...,yt* and 
/ (x, y±) ,...,/ (x, yt*) — and then outputs round (P y (It*)) as his claimed value of / (x, y). 
Notice that, although Alice uses her knowledge of T> x to prepare her message, Bob does not 
need to know T> x in order to interpret the message. That is why the simulation works for 
partial as well as total functions. 

But why can we assume that the sequence of y^s stops at yx for some T < 
Kl Suppose T > K; we will derive a contradiction. Let y = {yi, . . . , yx+i}- Then 
|3^| = K + 1 < Q2 (/) 2 5 so we know from previous reasoning that if Bob starts with I and 
then measures A [yi] , . . . , A [yx+i] in that order, he will observe / (x, y\) (x, yx+i) 
simultaneously with probability at least 0.9/2^. But by the definition of yt, the probability 
that A[yt] yields the correct outcome is at most 1/2, conditioned on A [yi] , . . . , A [yt-i] 
having yielded the correct outcomes. Therefore / (x, y\) ,...,/ (x, yK+l) are observed 
simultaneously with probability at most l/2^ +1 < 0.9/2^, contradiction. ■ 

10.2.1 Simulating Quantum Advice 

I now apply the new simulation method to upper-bound the power of quantum advice. 

Theorem 57 BQP/qpoly C PP/poly. 

Proof. For notational convenience, let L n (x) = 1 if input x £ {0, l} n is in 
language L, and L n (x) = otherwise. Suppose L n is computed by a BQP machine using 
quantum advice of length p (n) . We will give a PP machine that computes L n using 
classical advice of length O (np(n) log p(n)). Because of the close connection between 
advice and one-way communication, the simulation method will be essentially identical to 
that of Theorem 1561 

By using a boosted advice state on K = O (p(n) log p(n)) qubits, a polynomial- 
time quantum algorithm A can compute L n (x) with error probability at most l/p(n) 10 . 
Now the classical advice to the PP machine consists of T < K inputs ii,... ,xt S {0,1}", 

8 Strictly speaking, Bob will be able to compute / (x, yi) ,...,/ (a;, yr) for himself given yi, . . . ,yr; he 
does not need Alice to tell him the / values. 



97 



together with L n (x±) , . . . , L n (xt). Let I be the maximally mixed state on K qubits. 
Also, let P x (p) be the probability that A outputs '1' on input x, given p as its advice 
state. Then x\ is the lexicographically first input x for which round (P x (I)) ^ L n {x). 
In general, let It be the state obtained by starting with I as the advice and then running 
A on xi, . . . , xt in that order (uncomputing garbage along the way), if we postselect on A 
correctly outputting L n (x±) , . . . ,L n (xt). Then xt+i is the lexicographically first x > x t 
for which round (P x (It)) / L n (x). 

Given the classical advice, we can compute L n (x) as follows: if x £ {x%, . . . , xt} 
then output L n (xt). Otherwise let t* be the largest t for which xt < x lexicographically, 
and output round (P x {It*))- The proof that this algorithm works is the same as in Theorem 
I56| and so is omitted for brevity. All that needs to be shown is that the algorithm can be 
implemented in PP. 

Adleman, DeMarrais, and Huang ^B] (see also Fortnow and Rogers |116| ) showed 
that BQP C PP, by using what physicists would call a "Feynman sum-over- histories." 
Specifically, let C be a polynomial-size quantum circuit that starts in the all-0 state, and 
that consists solely of Toffoli and Hadamard gates (Shi |217| has shown that this gate set 
is universal). Also, let a z be the amplitude of basis state \z) after all gates in C have been 
applied. We can write a z as a sum of exponentially many contributions, a\ + • • • + ajy, 
where each a, is a rational real number computable in classical polynomial time. So by 
evaluating the sum 

N 

\a z \ 2 = OiOj, 

putting positive and negative terms on "opposite sides of the ledger," a PP machine can 
check whether \a z \ > (3 for any rational constant 0. It follows that a PP machine can also 
check whether 

^ \a z \ 2 > ^2 \a z \ 2 

z : Si(z) z : SoO) 

(or equivalently, whether Pr [Si] > Pr [So]) for any classical polynomial-time predicates S\ 
and So. 

Now suppose the circuit C does the following, in the case x ^ {x±, . . . ,xt}- It 
first prepares the -fT-qubit maximally mixed state I (as half of a 2i^-qubit pure state), 
and then runs A on x%, . . . , Xf , x in that order, using / as its advice state. The claimed 
values of L n (x\) , ... ,L n (x t *) ,L n (x) are written to output registers but not measured. 
For i S {0, 1}, let the predicate Si (z) hold if and only if basis state \z) contains the output 
sequence L n (x\) , . . . , L n (x t *) , i. Then it is not hard to see that 

*>.(/,;- Pr[Sl1 



Pr[S!] + Pr [So] 



so P x (It*) > 1/2 and hence L n (x) = 1 if and only if Pr [Si] > Pr[So]. Since the case 
x G {xi, . . . ,xt} is trivial, this shows that L n (x) is computable in PP/poly. ■ 

Let me make five remarks about Theorem 1571 First, for the same reason that 
Theorem 1561 works for partial as well as total functions, one actually obtains the stronger 
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result that PromiseBQP/qpoly C PromisePP/poly, where PromiseBQP and PromisePP are 
the promise-problem versions of BQP and PP respectively. 

Second, as pointed out to me by Lance Fortnow, a corollary of Theorem 1571 is that 
we cannot hope to show an unrelativized separation between BQP/poly and BQP/qpoly, 
without also showing that PP does not have polynomial-size circuits. For BQP/poly 7^ 
BQP/qpoly clearly implies that P/poly 7^ PP/poly. But the latter then implies that PP <f_ 
P/poly, since assuming PP C P/poly we could also obtain polynomial-size circuits for a 
language L 6 PP/poly by defining a new language L' £ PP, consisting of all (x,a) pairs 
such that the PP machine would accept x given advice string a. The reason this works is 
that PP is a syntactically defined class. 

Third, initially I showed that BQP/qpoly C EXP/poly, by using a simulation in 
which an EXP machine keeps track of a subspace H of the advice Hilbert space to which the 
'true' advice state must be close. In that simulation, the classical advice specifies inputs 
x±, . . . , xt for which dim (H) is at least halved; the observation that dim (H) must be at 
least 1 by the end then implies that T < K = O (p (n) logp (n)), meaning that the advice 
is of polynomial size. The huge improvement from EXP to PP came solely from working 
with measurement outcomes and their probabilities instead of with subspaces and their 
dimensions. We can compute the former using the same "Feynman sum-over-histories" 
that Adleman et al. ^H] used to show BQP C PP, but I could not see any way to compute 
the latter without explicitly storing and diagonalizing exponentially large matrices. 



Fourth, assuming BQP/poly 7^ BQP/qpoly, Theorem 1571 is almost the best result 



of its kind that one could hope for, since the only classes known to lie between BQP and PP 
and not known to equal either are obscure ones such as AWPP |116j . Initially the theorem 
seemed to me to prove something stronger, namely that BQP/qpoly C PostBQP/poly. Here 
Post BQP is the class of languages decidable by polynomial-size quantum circuits with post- 
selection — meaning the ability to measure a qubit that has a nonzero probability of being 
|1), and then assume that the measurement outcome will be |1). Clearly PostBQP lies 
somewhere between BQP and PP; one can think of it as a quantum analogue of the classical 
complexity class BPP pat h |142j . It turns out, however, that PostBQP = PP (see Chapter 



Fifth, it is clear that Adleman et al.'s BQP C PP result JH] can be extended 
to show that PQP = PP. Here PQP is the quantum analogue of PP — that is, quantum 
polynomial time but where the probability of a correct answer need only be bounded above 
1/2, rather than above 2/3. It has been asked whether Theorem 1571 could similarly be 
extended to show that PQP/qpoly = PP/poly. The answer is no — for indeed, PQP/qpoly 
contains every language whatsoever! To see this, given any function L n : {0, 1}" — > {0, 1}, 
let the quantum advice state be 



Then a PQP algorithm to compute L n is as follows: given an input x £ {0, l} n , first measure 
\ip n ) in the standard basis. If \x) \L n (x)) is observed, output L n (x); otherwise output a 
uniform random bit. 




ze{o,i} 
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10.3 A Direct Product Theorem for Quantum Search 

Can quantum computers solve NP-complete problems in polynomial time? In the early 
days of quantum computing, Bennett et al. [H^ gave an oracle relative to which NP <f_ BQP, 
providing what is still the best evidence we have that the answer is no. It is easy to extend 
Bennett et al.'s result to give an oracle relative to which NP <f_ BQP/poly; that is, NP is 
hard even for nonuniform quantum algorithms. But when we try to show NP <f_ BQP/qpoly 
relative to an oracle, a new difficulty arises: even if the oracle encodes 2 n exponentially 
hard search problems for each input length n, the quantum advice, being an "exponentially 
large object" itself, might somehow encode information about all 2 n problems. We need 
to argue that even if so, only a miniscule fraction of that information can be extracted by 
measuring the advice. 

How does one prove such a statement? As it turns out, the task can be reduced 
to proving a direct product theorem for quantum search. This is a theorem that in its 
weakest form says the following: given TV items, K of which are marked, if we lack enough 
time to find even one marked item, then the probability of finding all K items decreases 
exponentially in K. For intuitively, suppose there were a quantum advice state that let us 
efficiently find any one of K marked items. Then by "guessing" the advice (i.e. replacing 
it by a maximally mixed state), and then using the guessed advice multiple times, we could 
efficiently find all K of the items with a success probability that our direct product theorem 
shows is impossible. This reduction is formalized in Theorem 1641 

But what about the direct product theorem itself? It seems like it should be 
trivial to prove — for surely there are no devious correlations by which success in finding 
one marked item leads to success in finding all the others! So it is surprising that even 
a weak direct product theorem eluded proof for years. In 2001, Klauck |155j gave an 
attempted proof using the hybrid method of Bennett et al. |51j . His motivation was to 
show a limitation of space-bounded quantum sorting algorithms. Unfortunately, Klauck's 
proof is fallacious. 9 

In this section I give the first correct proof of a direct product theorem, based on 
the polynomial method of Beals et al. |45j . Besides showing that NP <f_ BQP/qpoly relative 
to an oracle, my result can be used to recover the conclusions in |155j about the hardness 
of quantum sorting (see Klauck, Spalek, and de Wolf |156j for details). I expect the result 
to have other applications as well. 

I will need the following lemma of Beals et al. [IHj • 

Lemma 58 (Beals et al.) Suppose a quantum algorithm makes T queries to an oracle 
string X £ {0, 1}^, and accepts with probability A (X). Then there exists a real polynomial 
p, of degree at most 2T, such that 




for all integers i £ {0, . . . , N}, where \X\ denotes the Hamming weight of X. 

9 Specifically, the last sentence in the proof of Lemma 5 in |155| ("Clearly this probability is at least 
Q x (p x — a)") is not justified by what precedes it. 
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Lemma 1551 implies that, to lower-bound the number of queries T made by a quan- 
tum algorithm, it suffices to lower-bound deg (p), where p is a real polynomial representing 
the algorithm's expected acceptance probability. As an example, any quantum algorithm 
that computes the OR function on N bits, with success probability at least 2/3, yields a 
polynomial p such that p (0) G [0, 1/3] and p (i) £ [2/3, 1] for all integers i S {1, . . . , A}. 
To lower-bound the degree of such a polynomial, one can use an inequality proved by A. A. 
Markov in 1890 (JES|; see also [2 



Theorem 59 (A. A. Markov) Given a real polynomial p and constant N > 0, let r' ' 
max^^] \p (x)\ and rW = max^o^] W ( x )\- Then 



deg (p) > 



~2rW' 



Theorem deals with the entire range [0, N] , whereas in our setting p (x) is 
constrained only at the integer points x E {0, . . . , A}. But as shown in |104| 11841 1204j . 
this is not a problem. For by elementary calculus, p(0) < 1/3 and p(l) > 2/3 imply that 
p' (x) > 1/3 for some real x G [0,1], and therefore rW > 1/3. Furthermore, let x* be a 
point in [0, A] where = r'°). Then p(|_^*J) £ [0, 1] and G [0, 1] imply that 

r W > 2 (r(°) - 1). Thus 



Nri 1 ) /Amax{l/3,2(r(°) - 1)) / ^- 

This is the proof of Beals et al. that quantum search requires f2 (v'A^ queries. 

When proving a direct product theorem, one can no longer apply Theorem 1591 so 
straightforwardly. The reason is that the success probabilities in question are extremely 
small, and therefore the maximum derivative rW could also be extremely small. For- 
tunately, though, one can still prove a good lower bound on the degree of the relevant 
polynomial p. The key is to look not just at the first derivative of p, but at higher deriva- 
tives. 

To start, we need a lemma about the behavior of functions under repeated differ- 
entiation. 



Lemma 60 Let f : R — > M be an infinitely differentiable function such that for some 
positive integer K , we have f (i) = for all i £ {0, . . . , K — 1} and f (K) = 5 > 0. Also, 
let r^" 1 ) = max xg [o.Af] \f^ m ^ (x)\, where /( m ) (x) is the m th derivative of f evaluated at x 
(thus /(°) = f). Then r^ > 5 /ml for all m £ {0, ... , K}. 

Proof. We claim, by induction on m, that there exist K — m + 1 points < x^ < 
■ ■ < ^T-m < K such that /( m ) (x[ m A = for all i < K-m-l and /( m ) (x^Jj > 5 /ml. 

If we define xf* = i, then the base case m = is immediate from the conditions of the 
lemma. Suppose the claim is true for m; then by elementary calculus, for all i < K — m — 2 
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there exists a point x ? - m+1 ^ G (^x\ m \x^j\ such that /( m+1 ) ^x t - m+1 ^ 

(m+l) . (m) ^ . (0) . , . , (m+1) / 

x 4 - > Xj. > ••• > = i. bo there is also a point x) f _ m _ 1 G I x\ 



,( m ) A m ) 

K-m-l' x K-m 



= 



Notice that 



such 



that 




K-m ^K-m-1 



) 



6/ml - 



- K- (K-m -l) 
5 



(m+ 1)!' 



With the help of Lemma I60[ one can sometimes lower-bound the degree of a real 
polynomial even its first derivative is small throughout the region of interest. To do so, I 
will use the following generalization of A. A. Markov's inequality (Theorem I59JI . which was 
proved by A. A. Markov's younger brother V. A. Markov in 1892 ( |173| : see also ;203 ). 

Theorem 61 (V. A. Markov) Given a real polynomial p of degree d and positive real 
number N , let = max a . g [ 0j 7v] \p( m ' (x) | . Then for all m G {1, . . . , d}, 



Here T^ (x) = cos (d arccos x) is the d Chebyshev polynomial of the first kind. 

As demonstrated below, combining Theorem |^ with Lemma |H0] yields a lower 
bound on deg (p). 

Lemma 62 Let p be a real polynomial such that 

(i) p (x) G [0, 1] at all integer points x G {0, . . . , N}, and 

(ii) for some positive integer K < N and real 5 > 0, we have p (K) = 5 and p (i) = for 



Proof. Let p( m ^ and r( m ) be as in Theorem l61l Then for all m G {1, . . . , deg (p)}, 
Theorem |^ yields 




all % G {0, . . . ,K — 1}. 
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Rearranging, 



deg (p) > yj (1 • 3 • 5 (2m - 1) • rM) 1/m 



for all m > 1 (if m > deg (p) then = so the bound is trivial). 

There are now two cases. First suppose r^ ' > 2. Then as discussed previously, 
condition (i) implies that j*' 1 ' > 2 fn°) — l), and hence that 



NrW N(r(°) - l) / ,— 

by Theorem 1591 Next suppose < 2. Then r( m ) > 5 /ml for all m < K by Lemma IfiUl 
So setting m = K yields 



deg (p) > y ^ (1 • 3 • 5 (2if - 1) • -^y /A = n (ymy« 

Either way we are done. ■ 

Strictly speaking, one does not need the full strength of Theorem |^ to prove a 
lower bound on deg (p) that suffices for an oracle separation between NP and BQP/qpoly. 
For one can show a "rough-and-ready" version of V. A. Markov's inequality by applying A. 
A. Markov's inequality (Theorem I59|) repeatedly, to p,p^\p^ 2 \ and so on. This yields 

r (m) < - deg (p) 2 r^ 1 ) < I- deg (p) 2 J r<°) 

for all m. If deg (p) is small, then this upper bound on r( m ) contradicts the lower bound 
of Lemma IEU1 However, the lower bound on deg (p) that one gets from A. A. Markov's 
inequality is only {^\/NS^I K /K\ , as opposed to f2 Nd 1 /^ from Lemma Irj2*l 10 

Shortly after seeing my proof of a weak direct product theorem, Klauck, Spalek, 
and de Wolf |156j managed to improve the lower bound on deg (p) to the essentially tight 
Q ^v 7 NK5 l / K ^j . In particular, their bound implies that 5 decreases exponentially in K 

whenever deg (p) = o \ y/ NK^j . They obtained this improvement by factoring p instead of 
differentiating it as in Lemma 

In any case, a direct product theorem follows trivially from what has already been 

said. 

Theorem 63 (Direct Product Theorem) Suppose a quantum algorithm makes T queries 
to an oracle string X £ {0, 1}^. Let 5 be the minimum probability, over all X with Ham- 
ming weight \X\ = K , that the algorithm finds all K of the '1 7 bits. Then 5 < (cT 2 /iV) 
for some constant c. 



10 An earlier version of this chapter claimed to prove deg (p) = Q y\f NK / log 3 / 2 (1/5) j , by applying 

Bernstein's inequality I5(i| rather than A. A. Markov's to all derivatives p( m '. I have since discovered a flaw 
in that argument. In any case, the Bernstein lower bound is both unnecessary for an oracle separation, and 
superseded by the later results of Klauck et al. I15b| . 
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Proof. Have the algorithm accept if it finds K or more '1' bits and reject otherwise. 
Let p (i) be the expected probability of acceptance if X is drawn uniformly at random subject 
to \X\ = i. Then we know the following about p: 

(i) p (i) G [0, 1] at all integer points i G {0, . . . , N}, since p (i) is a probability. 

(ii) p(i) = for alH G {0, . . . , K — 1}, since there are not K marked items to be found. 

(iii) p (K) > 5. 

Furthermore, Lemma 1581 implies that p is a polynomial in i satisfying deg (p) < 2T. 
It follows from Lemma EU that T = ft (VWW^Y or rearranging, that 5 < (cT 2 /iV) . ■ 
The desired oracle separation can now be proven using standard complexity theory 

tricks. 

Theorem 64 There exists an oracle relative to which NP <£_ BQP/qpoly. 

Proof. Given an oracle A : {0, 1}* — > {0, 1}, define the language La by (y, z) G La 
if and only if y < z lexicographically and there exists an x such that y < x < z and A (x) = 1. 
Clearly La G NP" 4 for all A. We argue that for some A, no BQP/qpoly machine M with 
oracle access to A can decide La- Without loss of generality we assume M is fixed, so that 
only the advice states {|V'n)} ri >i depend on A. We also assume the advice is boosted, so 

that M's error probability on any input (y, z) is 2~ n ( n ). 

Choose a set S C {0,1}™ subject to \S\ = 2"/ 10 ; then for all x G {0, l} n , set 
A (x) = 1 if and only if x G S. We claim that by using M, an algorithm could find all 
2"/io e l emen ts of S with high probability after only 2 n / 10 poly (n) queries to A. Here is 
how: first use binary search (repeatedly halving the distance between y and z) to find the 
lexicographically first element of S. By Lemma the boosted advice state \ip n ) is good 
for 2^( n ) uses, so this takes only poly (n) queries. Then use binary search to find the 
lexicographically second element, and so on until all elements have been found. 

Now replace \ip n ) by the maximally mixed state as in Theorem 1561 This yields an 
algorithm that uses no advice, makes 2 ra//10 poly (n) queries, and finds all 2 n / 10 elements of 
S with probability 2-°^^. But taking 5 = 2-°(P ol y(™)), T = 2 n / 10 poly (n), N = 2 n , 
and K = 2 n / 10 , such an algorithm would satisfy 5 S> (cT 2 /N) K , which violates the bound 
of Theorem 1631 ■ 

Indeed one can show that NP <f_ BQP/qpoly relative a random oracle with proba- 
bility l. 11 

10.4 The Trace Distance Method 

This section introduces a new method for proving lower bounds on quantum one-way com- 
munication complexity. Unlike in Section 110. 2\ here I do not try to simulate quantum 

11 First group the oracle bits into polynomial-size blocks as Bennett and Gill |54| do, then use the techniques 
of Chapter |H| to show that the acceptance probability is a low-degree univariate polynomial in the number 
of all-0 blocks. The rest of the proof follows Theorem 1641 
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protocols using classical ones. Instead I prove lower bounds for quantum protocols di- 
rectly, by reasoning about the trace distance between two possible distributions over Alice's 
quantum message (that is, between two mixed states). The result is a method that works 
even if Alice's and Bob's inputs are the same size. 

I first state the method as a general theorem; then, in Section 110.4.11 I apply the 
theorem to prove lower bounds for two problems of Ambainis. Let \\T> — £\\ denote the 
variation distance between probability distributions T> and £ . 



Theorem 65 Let f : {0, 1}™ x {0, l} m — > {0, 1} be a total Boolean function. For each 
y £ {0, l} m , let A y be a distribution over x 6 {0, l} n such that f (x,y) = 1. Let B be 
a distribution over y £ {0, l} m , and let T)^ be the distribution over ({0, l} n ) k formed by 
first choosing y £ B and then choosing k samples independently from A y . Suppose that 
Pr x&Vuy&B [f(x,y) = 0] = n(l) and that \\V 2 -Vf\\ < 5. Then Ql (/) = O (log 1/5). 



Proof. Suppose that if Alice's input is x, then she sends Bob the ^-qubit mixed 
state p x . Suppose also that for every x £ {0,1}™ and y £ {0, l} m , Bob outputs f (x,y) 
with probability at least 2/3. Then by amplifying a constant number of times, Bob's 
success probability can be made 1 — e for any constant e > 0. So with L = O (£) qubits of 
communication, Bob can distinguish the following two cases with constant bias: 

Case I. y was drawn from B and x from T>\. 

Case II. y was drawn from B and x from A y . 

For in Case I, we assumed that / (x, y) = with constant probability, whereas in 
Case II, / (x, y) = 1 always. An equivalent way to say this is that with constant probability 
over y, Bob can distinguish the mixed states p = EX xe D 1 [p x ] and p y = EX^g^ [p x ] with 
constant bias. Therefore 

n(i). 



EX [\\P- P y\\ 



trJ 



We need an upper bound on the trace distance 
to analysis. Let Ai, . . . , X 2 l be the eigenvalues of p — p y . 



\P-Pvhr 
Then 



that is more amenable 



\P-Pv\ 



1 2 

5 Ei*. 



1=1 



1 

< - 
- 2 



2 L 

2L Yl X i 



i=l 



yL/2-1 



2 L 



\ i,3=l 



where (p)ij is the entry of p. Here the second line uses the Cauchy-Schwarz inequality, 
and the third line uses the unitary invariance of the Frobenius norm. 
We claim that 



EX 

yeB 



105 



From this claim it follows that 



EX \\\p- p v \\, 1 < 2 L/2_1 EX 



< 2 



L/2-1 




EX 



E \(p)ij ~ (f>v) 



Therefore the message length L must be f2 (log 1/5) to ensure that EX y& g \\\p — p y || t J 
0(1). 

Let us now prove the claim. We have 



EX 

yen 



E [\ip)a - 2Re ((^EX 



y eB L" 



+ EX 



E ( EX 



(Py, 



ij 



since EX ye g (p. 



For a g iven (*> j) P air > 



EX 



(Py, 



ij 



(P)i 



EX 



EX 



EX 



(As)*- 



EX 



EX 

x,z£T>\ 



(Px)ij 

(pxTij {Pz)ij 



Wg [*,*]- 

x,z \ 1 / 



Now for all x, z, 



Hence 



< E I (a. 



< 1. 



£ ( Pr [x, z] - Pr [s, z] ] Y (P-Tij (P*)ii ^ E ( £f & z ] " % z l 



£>2 



2 \\V 2 -V(\ 



< 25, 

and we are done. ■ 

The difficulty in extending Theorem l65l to partial functions is that the distribution 
T>i might not make sense, since it might assign a nonzero probability to some x for which 
/ (x, y) is undefined. 
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10.4.1 Applications 

In this subsection I apply Theorem 1651 to prove lower bounds for two problems of Ambainis. 
To facilitate further research and to investigate the scope of our method, I state the problems 
in a more general way than Ambainis did. Given a group G, the coset problem Coset (G) 
is defined as follows. Alice is given a left coset C of a subgroup in G, and Bob is given 
an element y £ G. Bob must output 1 if y £ C and otherwise. By restricting the 
group G, we obtain many interesting and natural problems. For example, if p is prime 
then Coset (Z p ) is just the equality problem, so the protocol of Rabin and Yao |192j yields 
Q£ (Coset (Z p )) = 6 (log log p). 

Theorem 66 Oi (Coset (Z{J)) = G (logp). 

Proof. The upper bound is obvious. For the lower bound, it suffices to consider 
a function f p defined as follows. Alice is given (x, y) £ F^ and Bob is given (a, b) E F 2 ; 
then 

1 if y = ax + b (modp) 
otherwise. 



f P (x, y, a, b) 



Let B be the uniform distribution over (a, b) E F^, and let A a ,b be the uniform distribution 
over (x, y) such that y = ax + b (modp). Thus T>\ is the uniform distribution over (x, y) £ 
W 2 ; note that 

Pr \f p (x,y,a,b) =0] = 1--. 
(x,y)eV u (a,b)eB p 

But what about the distribution T>2, which is formed by first drawing (a, b) £ B, and then 
drawing (x, y) and (z, w) independently from A a ,b^ Given a pair (x, y) , (z, w) £ F^, there 
are three cases regarding the probability of its being drawn from T>2- 

(1) (x,y) = (z,w) (p 2 pairs). In this case 

Pr[(x, y),{z,w)]= Pr[(a,b)]Pr[(x,y), (z,w) | (a, b}} 

2 (a,&>eFf 



P 



1 1 \ 1 



p2 p2 J p3 



(2) x z (p 4 — p s pairs). In this case there exists a unique (a*,b*) such that y 
a*x + b* (modp) and w = a* z + b* (modp), so 

Pv[(x,y),(z,w)} = Pv[(a*,b*)]PT[(x,y),(z,w) \ (a*,b*)} 

1 11 

p2 p2 pi 



(3) x = z but y ytz w (p 3 — p 2 pairs). In this case Pr£> 2 [{x, y) , (z, w}] = 0. 
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Putting it all together, 



\T>2 - Vi 



1 



V 



V 



+ (P 3 -P 2 ) 



V 



1 



p p 



2 ' 



So taking 5 = 1/p— 1/p 2 , we have Q-j, (Coset = ^ (log (1/5)) = f2 (logp) by Theorem 

ESI ■ 

I now consider Ambainis' second problem. Given a group G and nonempty set 
S C G with IS") < \G\ /2, the subset problem Subset (G, S) is defined as follows. Alice is 
given xGG and Bob is given y £ G; then Bob must output 1 if xy £ S and otherwise. 

Let M be the distribution over st~ l £ G formed by drawing s and t uniformly 
and independently from S. Then let A = \\M — where T>\ is the uniform distribution 
over G. 



Proposition 67 For all G,S such that \S\ < \G\ /% 

Qi (Subset (G, S)) = n (log 1/A) . 

Proof. Let B be the uniform distribution over y £ G, and let A y be the uniform 
distribution over x such that xy £ S. Thus T>\ is the uniform distribution over x E G; note 
that 



We have 



\V 2 -V\\ 



1 E 

2 ^ 

x,zeG 

2 ^ 

x,z&G 

It, 



\{y £ G,s,t £ S : xy = s,zy = t}\ 1 



iciisr 



|G|< 



I {s, t E 5 : 



xz 



st- l }\ 



\s\ z 

\{s,t £ S :x = st-^l 



\G\' 



2 ^ 

x&G 

\\M-Vx 
A. 



1 

W\ 



Therefore log (1/5) = Q (log 1/A) . ■ 

Having lower-bounded Q3> (Subset (G, S)) in terms of 1/A, it remains only to 
upper-bound the variation distance A. The following proposition implies that for all 
constants e > 0, if S is chosen uniformly at random subject to 1 5*1 = IGI 1 ^ 2 " 1 " 5 , then 
Q2 (Subset (G, S)) = Q (log (|G|)) with constant probability over S. 
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Theorem 68 For all groups G and integers K £ {1, . . . , \G\}, if S C G is chosen uniformly 
at random subject to \S\ = K, then A = O (^J\G\/ with £1 (1) probability over S. 



Proof. We have 



A 



-y, 

xeG 



M [X1 ~ W\ 



< 



, y (pt [x\ - ^ 
\hz\ M \g\ 



by the Cauchy-Schwarz inequality. We claim that 



EX 

s 



£(a M -M) : 



< 



K 2 



for some constant c. From this it follows by Markov's inequality that 

2 



Pr 

s 



l 

< - 

~ 2 



and hence 



A < 



\G\ \2c_ 
K 2 



O 



K 



with probability at least 1/2. 

Let us now prove the claim. We have 



Pr [x] = Pr 

M i,j L 



Si Sj — X 



= Pr [si = xsj] , 



where S = {s±, . . . , sk} and i, j are drawn uniformly and independently from {1, . . . , K}. 
So by linearity of expectation, 



EX 

s 



£(» w -m 



EX 

s 



E 

.xeG 



Pr \si = xsA - —— Pr [sj = xsA + 



1 



|G| id 



\G\' 



i,j,k,l=l 



\G\ 



if 2 



where 



Px,ij — — XSj] , 

Px,yfc« = Pr [Si = xsj As k = xsi] . 

First we analyze p x ,ij- Let ord (x) be the order of x in C Of the K 2 possible 
ordered pairs (i, j), there are K pairs with the "pattern" ii (meaning that i = j), and 
K (K — 1) pairs with the pattern ij (meaning that i / j). If ord (x) = 1 (that is, x is the 
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Pattern Number of such 4-tuples 


ord (x) = 1 ord (x) = 2 ord [x) > 2 


iiii,iikk K 2 

ijij K(K-l) 

ijji K(K-l) 

iiil,iiki,ijii,ijjj AK (K - 1) 

ijki,ijjk 2K (K — 1)(K — 2) 

iikl,ijkk,ijik,ijkj AK (K — 1)(K — 2) 

ijkl K (K - 1) (K - 2) (K - 3) 


1 

n 1 1 

u IGI-1 |G|-1 

PFT 


(|G|-l)(|G|-2) 


(|G|-l)(|G|-3) (|G|-l)(|G|-3) 



Table 10.1: Expressions for p x ,ijkl 



identity), then we have p x ,ij = P r s [s% = Sj], so p x ^j = 1 under the pattern ii, and v x ,ij = 
under the pattern ij. On the other hand, if ord (x) > 1, then p X) ij = under the pattern 
ii, and p x ^j = under the pattern ij. So 



x&Gi,j=l 

Though unnecessarily cumbersome, the above analysis was a warmup for the more 
complicated case of p x ,ijkl- Table 10.1 lists the expressions for p x ,ijkh given ord (x) and the 
pattern of (i,j, k, I). 

Let r be the number of x € G such that ord (x) = 2, and let r' = \G\ — r — 1 be 
the number such that ord (x) > 2. Then 

1 K 1 / K 2 + (2r + r') K{K - 1] + 2r / ^ (i ^~ 1)(g ~ 2) \ 

— V V n + + |G|-1 + Zr (|G|-l)(|G|-2) 

if4L L - ^4 , (r , „n A-(A--l)(A--2)(A--3) 

xeGi,j,k,l=i \ + K r + r ) (| G |_ 1 )(| G |_ 3 ) / 

^M^3 + °(^ 

using the fact that if < |G|. 

Putting it all together, 



EX 

s 



|G|-3 V^V |C| |G| V^ 2 



and we are done. ■ 

From fingerprinting one also has the following upper bound. Let q be the period- 
icity of S, defined as the number of distinct sets gS = {gs : s £ S} where g £ G. 

Proposition 69 R3> (Subset (G, S)) = O (log \S\ + log log q). 

Proof. Assume for simplicity that q = \G\; otherwise we could reduce to a sub- 
group H < G with | if | = q. The protocol is as follows: Alice draws a uniform random prime 
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p from the range 



1 5 1 log 2 \G\ , 2 1 5 1 log 2 | C| ; she then sends Bob the pair (p,xmodp) 



where x is interpreted as an integer. This takes O (log | *S' | + log log \G\) bits. Bob outputs 
1 if and only if there exists a z £ G such that zy 6 S and x = z (modp). To see the 

protocol's correctness, observe that if x ^ z, then there at most log |G| primes p such that 

' |S| 2 i°g 2 |G| • 



x — z = (modp), whereas the relevant range contains 
if xy $l S, then by the union bound 



log(|S|log|G|) 



Pr [3z : zy £ S, x = z (modp)l 

p 



0[\S\\og\G\ 



log(|5|log|G|) 
|S| 2 log 2 |G| 



primes. Therefore, 



o(l). 



10.5 Open Problems 

Are R 2 (/) and Q 2 (/) polynomially related for every total Boolean function /? Also, can 
we exhibit any asymptotic separation between these measures? The best separation I know 
of is a factor of 2: for the equality function we have R 2 (EQ) > (1 — o (1)) log 2 n, whereas 
Winter |M] has shown that Q^ (EQ) < (1/2 + o (1)) log 2 n using a protocol involving mixed 
states. 12 This factor-2 savings is tight for equality: a simple counting argument shows that 
Q 2 (EQ) > (1/2 — o (1)) log 2 n; and although the usual randomized protocol for equality 
192 uses (2 + o(l))log 2 n bits, there exist protocols based on error-correcting codes that 
use only log 2 (en) = log 2 n + O (1) bits. All of this holds for any constant error probability 
< e < 1/2. 

Can we lower-bound Q 2 (Coset (G)) for groups other than Z 2 (such as Z 2 , or 
nonabelian groups)? Also, can we characterize Q 2 (Subset (G, S)) for all sets S, closing the 
gap between the upper and lower bounds? 

Is there an oracle relative to which BQP/poly 7^ BQP/qpoly? 

Can we give oracles relative to which NP n coNP and SZK are not contained in 
BQP/qpoly? Even more ambitiously, can we prove a direct product theorem for quantum 
query complexity that applies to any partial or total function (not just search)? 

For all / (partial or total), is R 2 (/) = O (y/n) whenever Q 2 (/) = O (logn)? In 
other words, is the separation of Bar-Yossef et al. [3H] the best possible? 

Can the result D 1 (/) = O (mQ^ (f) log Q 2 (/)) for partial / be improved to 
D 1 (/) = O (mQl (/))? I do not even know how to rule out D 1 (/) = O (m + Qi, (/)). 

In the Simultaneous Messages (SM) model, there is no direct communication be- 
tween Alice and Bob; instead, Alice and Bob both send messages to a third party called the 
referee, who then outputs the function value. The complexity measure is the sum of the two 
message lengths. Let R 2 (/) and Q 2 (/) be the randomized and quantum bounded-error 

SM complexities of / respectively, and let R 2 ' pub (/) be the randomized SM complexity if 
Alice and Bob share an arbitrarily long random string. Building on work by Buhrman et 
al. [Tg, Yao HSU] showed that Qjj (/) = O (logn) whenever R 2 l,pub (/) = 0(1). He then 

12 If we restrict ourselves to pure states, then (1 — o (1)) log 2 n qubits are needed. Based on that fact, a 
previous version of this chapter claimed incorrectly that Q} 2 (EQ) > (1 — o (1)) log 2 n. 
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asked about the other direction: for some e > 0, does r| p Db (/) = O (n 1 / 2 ^) whenever 
Q 2 (/) = O (logn), and does R 2 (/) = O (n 1_£ ) whenever Q 2 (/) = O (logn)? In an earlier 
version of this chapter, I showed that R 2 (/) = O (^yfn ^R 2 ' pub (/) + logn^ , which means 
that a positive answer to Yao's first question would imply a positive answer to the second. 
Later I learned that Yao independently proved the same result |249j . Here I ask a related 
question: can Q 2 (/) ever be exponentially smaller than R 2 ' pub (/)? (Buhrman et al. |75j 

showed that Q 2 (/) can be exponentially smaller than R 2 (/)•) Iordanis Kerenidis has 
pointed out to me that, based on the hidden matching problem of Bar-Yossef et al. |43| 
discussed in Section TlO. 11 one can define a relation for which Q 2 (/) is exponentially smaller 
than R 2 ' pub (/). However, as in the case of Q 2 (/) versus R 2 (/), it remains to extend that 
result to functions. 
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Chapter 11 

Summary of Part ffl 



From my unbiased perspective, quantum lower bounds are some of the deepest 
results to have emerged from the study of quantum computing and information. These 
results tell us that many problems we thought were intractable based on classical intuition, 
really are intractable according to our best theory of the physical world. On the other hand, 
the reasons for intractability are much more subtle than in the classical case. In some sense, 
this has to be true — for otherwise the reasons would apply even to those problems for which 
dramatic quantum speedups exist. 

We currently have two methods for proving lower bounds on quantum query com- 
plexity: the polynomial method of Beals et al. [IS] , and the adversary method of Ambainis 
|27| . The preceding chapters have illustrated what, borrowing from Wigner |242| . we might 
call the "unreasonable effectiveness" of these methods. Both continue to work far outside 
of their original design specs — whether by proving classical lower bounds, lower bounds for 
exponentially small success probabilities (as in the direct product theorem), or polynomial 
lower bounds for quantities that have "no right" to be polynomials (as in the collision and 
set comparison problems). Yet the two methods also have complementary limitations. The 
adversary method is useless when the relevant probability gaps are small, or when every 
0-input differs from every 1-input in a constant fraction of locations. Likewise, the polyno- 
mial method cannot be applied to problems that lack permutation symmetry, at least using 
the techniques we currently know. Thus, perhaps the most important open problem in 
quantum lower bounds is to develop a new method that overcomes the limitations of both 
the polynomial and the adversary methods. 1 

In keeping with the theme of this thesis, I end Part [I] by listing some classical 
intuitions about computing, that a hypothetical being from Conway's Game of Life could 
safely carry into the quantum universe. 

• The collision problem is not that much easier than unordered search. For despite 
being extremely far from any one-to-one function, a random two-to-one function still 
looks one-to-one unless we do an expensive search for collisions. 

• Finding a local minimum of a function is not that much easier than finding a global 

1 Along these lines, Barnum, Saks, and Szegedy 1111 have given what in some sense is a provably optimal 
method, but their method (based on semidefinite programming) seems too difficult to apply directly. 
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minimum. This is because the paths leading to local minima could be exponentially- 
long. 

If we want to distinguish an input X from the set of all Y such that / (Y) / / (X), 
then there is nothing much better to do than to query nonadaptively according to the 
minimax strategy. 

The difficulty of recursive Fourier sampling increases exponentially with the height of 
the tree. 

Given n unrelated instances of a problem, but only enough time to solve o (n) of them, 
the probability of succeeding on all n instances decreases exponentially with n. 

NP-complete problems are probably hard, even with the help of polynomial-size ad- 
vice. 
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Part II 

Models and Reality 
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LS: So you believe quantum mechanics? 
Me: Of course I do! 

LS: So a thousand years from now, people will still be doing quantum mechanics? 

Me: Well. . . um. . . I guess so. . . 

— Conversation between me and Lee Smolin 



116 



Chapter 12 

Skepticism of Quantum Computing 



"QC of the sort that factors long numbers seems firmly rooted in science fiction 
. . . The present attitude would be analogous to, say, Maxwell selling the Daemon 
of his famous thought experiment as a path to cheaper electricity from heat." 

— Leonid Levin 165 

Quantum computing presents a dilemma: is it reasonable to study a type of com- 
puter that has never been built, and might never be built in one's lifetime? Some researchers 
strongly believe the answer is 'no.' Their objections generally fall into four categories: 

(A) There is a fundamental physical reason why large quantum computers can never be 
built. 

(B) Even if (A) fails, large quantum computers will never be built in practice. 

(C) Even if (A) and (B) fail, the speedup offered by quantum computers is of limited 
theoretical interest. 

(D) Even if (A), (B), and (C) fail, the speedup is of limited practical value. 1 

The objections can be classified along two axes, as in Table 12.1. 
This chapter focuses on objection (A), that quantum computing is impossible for 
a fundamental physical reason. Among computer scientists, this objection is most closely 

1 Because of the 'even if clauses, the objections seem to me logically independent, so that there are 16 
possible positions regarding them (or 15 if one is against quantum computing). I ignore the possibility that 
no speedup exists, in other words that BPP = BQP. By 'large quantum computer' I mean any computer 
much faster than its best classical simulation, as a result of asymptotic complexity rather than the speed of 
elementary operations. Such a computer need not be universal; it might be specialized for (say) factoring. 



Theoretical Practical 
Physical (A) (B) 

Algorithmic (C) (D) 

Table 12.1: Four objections to quantum computing. 



117 



associated with Leonid Levin |165j . 2 The following passage captures much of the flavor of 
his critique: 

The major problem [with quantum computing] is the requirement that basic 
quantum equations hold to multi-hundredth if not millionth decimal positions 
where the significant digits of the relevant quantum amplitudes reside. We 
have never seen a physical law valid to over a dozen decimals. Typically, every 
few new decimal places require major rethinking of most basic concepts. Are 
quantum amplitudes still complex numbers to such accuracies or do they become 
quaternions, colored graphs, or sick-humored gremlins? |165j 

Among other things, Levin argues that quantum computing is analogous to the 
unit-cost arithmetic model, and should be rejected for essentially the same reasons; that 
claims to the contrary rest on a confusion between metric and topological approximation; 
that quantum fault-tolerance theorems depend on extravagant assumptions; and that even 
if a quantum computer failed, we could not measure its state to prove a breakdown of 
quantum mechanics, and thus would be unlikely to learn anything new. 

A few responses to Levin's arguments can be offered immediately. First, even 
classically, one can flip a coin a thousand times to produce probabilities of order 2 -1000 . 
Should one dismiss such probabilities as unphysical? At the very least, it is not obvious 
that amplitudes should behave differently than probabilities with respect to error — since 
both evolve linearly, and neither is directly observable. 

Second, if Levin believes that quantum mechanics will fail, but is agnostic about 
what will replace it, then his argument can be turned around. How do we know that the 
successor to quantum mechanics will limit us to BPP, rather than letting us solve (say) 
PSPACE-complete problems? This is more than a logical point. Abrams and Lloyd 15 
argue that a wide class of nonlinear variants of the Schrodinger equation would allow N P- 
complete and even #P-complete problems to be solved in polynomial time. And Penrose 
189 , who proposed a model for 'objective collapse' of the wavefunction, believes that his 
proposal takes us outside the set of computable functions entirely! 

Third, to falsify quantum mechanics, it would suffice to show that a quantum 
computer evolved to some state far from the state that quantum mechanics predicts. Mea- 
suring the exact state is unnecessary. Nobel prizes have been awarded in the past 'merely' 
for falsifying a previously held theory, rather than replacing it by a new one. An example 
is the physics Nobel awarded to Fitch jllUj and Cronin jHS] in 1980 for discovering CP 
symmetry violation. 

Perhaps the key to understanding Levin's unease about quantum computing lies 
in his remark that "we have never seen a physical law valid to over a dozen decimals." Here 
he touches on a serious epistemological question: How far should we extrapolate from today's 
experiments to where quantum mechanics has never been tested? I will try to address this 
question by reviewing the evidence for quantum mechanics. For my purposes it will not 

2 More recently, Oded Goldreich |128l has also put forward an argument against quantum computing. 
Compared to Levin's arguments, Goldreich's is easily understood: he believes that states arising in Shor's 
algorithm have exponential "non- degeneracy" and therefore take exponential time to prepare, and that there 
is no burden on those who hold this view to suggest a definition of non-degeneracy. 
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suffice to declare the predictions of quantum mechanics "verified to one part in a trillion," 
because we have to distinguish at least three different types of prediction: interference, 
entanglement, and Schrddinger cats. Let us consider these in turn. 

(1) Interference. If the different paths that an electron could take in its orbit around a 
nucleus did not interfere destructively, canceling each other out, then electrons would 
not have quantized energy levels. So being accelerating electric charges, they would 
lose energy and spiral into their respective nuclei, and all matter would disintegrate. 
That this has not happened — together with the results of (for example) single-photon 
double-slit experiments — is compelling evidence for the reality of quantum interfer- 
ence. 

(2) Entanglement. One might accept that a single particle's position is described by a 
wave in three-dimensional phase space, but deny that two particles are described by 
a wave in six-dimensional phase space. However, the Bell inequality experiments of 
Aspect et al. [37| and successors have convinced all but a few physicists that quantum 
entanglement exists, can be maintained over large distances, and cannot be explained 
by local hidden-variable theories. 

(3) Schrodinger Cats. Accepting two- and three-particle entanglement is not the same 
as accepting that whole molecules, cats, humans, and galaxies can be in coherent 
superposition states. However, recently Arndt et al. [HE] have performed the double- 
slit interference experiment using Cqq molecules (buckyballs) instead of photons; while 
Friedman et al. |119j have found evidence that a superconducting current, consisting of 
billions of electrons, can enter a coherent superposition of flowing clockwise around a 
coil and flowing counterclockwise (see Leggett |164j for a survey of such experiments). 
Though short of cats, these experiments at least allow us to say the following: if 
we could build a general-purpose quantum computer with as many components as 
have already been placed into coherent superposition, then on certain problems, that 
computer would outperform any computer in the world today. 

Having reviewed some of the evidence for quantum mechanics, we must now ask 
what alternatives have been proposed that might also explain the evidence. The simplest 
alternatives are those in which quantum states "spontaneously collapse" with some proba- 
bility, as in the GRW (Ghirardi-Rimini- Weber) theory JT2HI- 3 The drawbacks of the GRW 
theory include violations of energy conservation, and parameters that must be fine-tuned 
to avoid conflicting with experiments. More relevant for us, though, is that the collapses 
postulated by the theory are only in the position basis, so that quantum information stored 
in internal degrees of freedom (such as spin) is unaffected. Furthermore, even if we ex- 
tended the theory to collapse those internal degrees, large quantum computers could still 
be built. For the theory predicts roughly one collapse per particle per 10 15 seconds, with a 
collapse affecting everything in a 10 _7 -meter vicinity. So even in such a vicinity, one could 
perform a computation involving (say) 10 10 particles for 10 5 seconds. Finally, as pointed 

3 Penrose 189! has proposed another such theory, but as mentioned earlier, his theory suggests that the 
quantum computing model is too restrictive. 
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out to me by Rob Spekkens, standard quantum error-correction techniques might be used 
to overcome even GRW-type decoherence. 

A second class of alternatives includes those of 't Hooft 227 ^ and Wolfram 246 , 
in which something like a deterministic cellular automaton underlies quantum mechanics. 
On the basis of his theory, 't Hooft predicts that "[i]t will never be possible to construct a 
'quantum computer' that can factor a large number faster, and within a smaller region of 
space, than a classical machine would do, if the latter could be built out of parts at least 
as large and as slow as the Planckian dimensions" .227 . Similarly, Wolfram states that 
"[i]ndeed within the usual formalism [of quantum mechanics] one can construct quantum 
computers that may be able to solve at least a few specific problems exponentially faster 
than ordinary Turing machines. But particularly after my discoveries ... I strongly suspect 
that even if this is formally the case, it will still not turn out to be a true representation of 
ultimate physical reality, but will instead just be found to reflect various idealizations made 
in the models used so far" |246| p. 771]. 

The obvious question then is how these theories account for Bell inequality viola- 
tions. I confess to being unable to understand 't Hooft's answer to this question, except 
that he believes that the usual notions of causality and locality might no longer apply in 
quantum gravity. As for Wolfram's theory, which involves "long-range threads" to account 
for Bell inequality violations, I will show in Section [12.11 below that it fails Wolfram's own 
desiderata of causal and relativistic invariance. 

12.1 Bell Inequalities and Long- Range Threads 

This section is excerpted from my review of Stephen Wolfram's A New Kind 
of Science [246 . 

The most interesting chapter of A New Kind of Science is the ninth, on 'Fun- 
damental Physics.' Here Wolfram confronts general relativity and quantum mechanics, 
arguably the two most serious challenges to the deterministic, cellular-automaton-based 
view of nature that he espouses. Wolfram conjectures that spacetime is discrete at the 
Planck scale, of about 10 -33 centimeters or 10 -43 seconds. This conjecture is not new, and 
has received considerable attention recently in connection with the holographic principle 
65 from black hole thermodynamics, which Wolfram does not discuss. But are new ideas 
offered to substantiate the conjecture? 

For Wolfram, spacetime is a causal network, in which events are vertices and edges 
specify the dependence relations between events. Pages 486-496 and 508-515 discuss in 
detail how to generate such a network from a simple set of rules. In particular, we could 
start with a finite undirected 'space graph' G. We then posit a set of update rules, each of 
which replaces a subgraph by another subgraph with the same number of outgoing edges. 
The new subgraph must preserve any symmetries of the old one. Then each event in 
the causal network corresponds to an application of an update rule. If updating event B 
becomes possible as a result of event A, then we draw an edge from A to B. 

Properties of space are defined in terms of G. For example, if the number of 
vertices in G at distance at most n from any given vertex grows as n D , then space can be 
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said to have dimension D. (As for formalizing this definition, Wolfram says only that there 
are "some subtleties. For example, to find a definite volume growth rate one does still need 
to take some kind of limit — and one needs to avoid sampling too many or too few" vertices 
(p. 1030).) Similarly, Wolfram argues that the curvature information needed for general 
relativity, in particular the Ricci tensor, can be read from the connectivity pattern of G. 
Interestingly, to make the model as simple as possible, Wolfram does not associate a bit to 
each vertex of G, representing (say) the presence or absence of a particle. Instead particles 
are localized structures, or 'tangles,' in G. 

An immediate problem is that one might obtain many nonequivalent causal net- 
works, depending on the order in which update rules are applied to G. Wolfram calls a set 
of rules that allows such nondeterministic evolution a 'multiway system.' He recognizes, 
but rejects, a possible connection to quantum mechanics: 

The notion of 'many-figured time' has been discussed since the 1950s in the con- 
text of the many- worlds interpretation of quantum mechanics. There are some 
similarities to the multiway systems that I consider here. But an important 
difference is that while in the many-worlds approach, branchings are associated 
with possible observation or measurement events, what I suggest here is that 
they could be an intrinsic feature of even the very lowest-level rules for the 
universe (p. 1035-6). 

It is unclear exactly what distinction is being drawn: is there any physical event 
that is not associated with a possible observation or measurement? In any case, Wolfram 
opts instead for rule sets that are 'causal invariant': that is, that yield the same causal 
network regardless of the order in which rules are applied. As noted by Wolfram, a 
sufficient (though not necessary) condition for causal invariance is that no 'replaceable' 
subgraph overlaps itself or any other replaceable subgraph. 

Wolfram points out an immediate analogy to special relativity, wherein observers 
do not in general agree on the order in which spacelike separated events occur, yet agree 
on any final outcome of the events. He is vague, though, about how (say) the Lorentz 
transformations might be derived in a causal network model: 

There are many subtleties here, and indeed to explain the details of what is 
going on will no doubt require quite a few new and rather abstract concepts. 
But the general picture that I believe will emerge is that when particles move 
faster they will appear to have more nodes associated with them (p. 529). 

Wolfram is "certainly aware that many physicists will want to know more details," 
he says in the endnotes, about how a discrete model of the sort he proposes can reproduce 
known features of physics. But, although he chose to omit technical formalism from the 
presentation, "[g]iven my own personal background in theoretical physics it will come as no 
surprise that I have often used such formalism in the process of working out what I describe 
in these sections" (p. 1043). The paradox is obvious: if technical formalism would help 
convince physicists of his ideas, then what could Wolfram lose by including it, say in the 
endnotes? If, on the other hand, such formalism is irrelevant, then why does Wolfram even 
mention having used it? 
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Physicists' hunger for details will likely grow further when they read the section on 
'Quantum Phenomena' (p. 537-545). Here Wolfram maintains that quantum mechanics 
is only an approximation to an underlying classical (and most likely deterministic) theory. 
Many physicists have sought such a theory, from Einstein to (in modern times) 't Hooft 
227 . But a series of results, beginning in the 1960's, has made it clear that such a theory 
comes at a price. I will argue that, although Wolfram discusses these results, he has not 
understood what they actually entail. 

To begin, Wolfram is not advocating a hidden-variable approach such as Bohmian 
mechanics, in which the state vector is supplemented by an 'actual' eigenstate of a particular 
observable. Instead he thinks that, at the lowest level, the state vector is not needed at all; 
it is merely a useful construct for describing some (though presumably not all) higher-level 
phenomena. Indeterminacy arises because of one's inability to know the exact state of a 
system: 

[I]f one knew all of the underlying details of the network that makes up our 
universe, it should always be possible to work out the result of any measurement. 
I strongly believe that the initial conditions for the universe were quite simple. 
But like many of the processes we have seen in this book, the evolution of the 
universe no doubt intrinsically generates apparent randomness. And the result 
is that most aspects of the network that represents the current state of our 
universe will seem essentially random (p. 543). 

Similarly, Wolfram explains as follows why an electron has wave properties: "... a 
network which represents our whole universe must also include us as observers. And this 
means that there is no way that we can look at the network from the outside and see the 
electron as a definite object" (p. 538). An obvious question then is how Wolfram accounts 
for the possibility of quantum computing, assuming BPP ^ BQP. He gives an answer in 
the final chapter: 

Indeed within the usual formalism [of quantum mechanics] one can construct 
quantum computers that may be able to solve at least a few specific problems 
exponentially faster than ordinary Turing machines. But particularly after my 
discoveries in Chapter 9 ['Fundamental Physics'], I strongly suspect that even 
if this is formally the case, it will still not turn out to be a true representation 
of ultimate physical reality, but will instead just be found to reflect various 
idealizations made in the models used so far (p. 771). 

In the endnotes, though, where he explains quantum computing in more detail, 
Wolfram seems to hedge about which idealizations he has in mind: 

It does appear that only modest precision is needed for the initial amplitudes. 
And it seems that perturbations from the environment can be overcome using 
versions of error-correcting codes. But it remains unclear just what might be 
needed actually to perform for example the final measurements required (p. 
1148). 
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One might respond that, with or without quantum computing, Wolfram's propos- 
als can be ruled out on the simpler ground that they disallow Bell inequality violations. 
However, Wolfram puts forward an imaginative hypothesis to account for bipartite entan- 
glement. When two particles (or 'tangles' in the graph G) collide, long-range 'threads' may 
form between them, which remain in place even if the particles are later separated: 

The picture that emerges is then of a background containing a very large num- 
ber of connections that maintain an approximation to three-dimensional space, 
together with a few threads that in effect go outside of that space to make direct 
connections between particles (p. 544). 

The threads can produce Bell correlations, but are somehow too small (i.e. contain 
too few edges) to transmit information in a way that violates causality. 

There are several objections one could raise against this thread hypothesis. What 
I will show is that, if one accepts two of Wolfram's own desiderata — determinism and causal 
invariance — then the hypothesis fails. First, though, let me remark that Wolfram says little 
about what, to me, is a more natural possibility than the thread hypothesis. This is an 
explicitly quantum cellular automaton or causal network, with a unitary transition rule. 
The reason seems to be that he does not want continuity anywhere in a model, not even 
in probabilities or amplitudes. In the notes, he describes an experiment with a quantum 
cellular automaton as follows: 

One might hope to be able to get an ordinary cellular automaton with a limited 
set of possible values by choosing a suitable [phase rotation] 6 [6 = 7r/4 and 
9 = 7r/3 are given as examples in an illustration]. But in fact in non-trivial 
cases most of the cells generated at each step end up having distinct values (p. 
1060). 

This observation is unsurprising, given the quantum computing results mentioned 
in Chapter |IJ to the effect that almost any nontrivial gate set is universal (that is, can 
approximate any unitary matrix to any desired precision, or any orthogonal matrix in case 
one is limited to reals). Indeed, Shi |217j has shown that a Toffoli gate, plus any gate that 
does not preserve the computational basis, or a controlled-NOT gate plus any gate whose 
square does not preserve the computational basis, are both universal gate sets. In any 
case, Wolfram does not address the fact that continuity in amplitudes seems more 'benign' 
than continuity in measurable quantities: the former, unlike the latter, does not enable an 
infinite amount of computation to be performed in a finite time. Also, as observed by 
Bernstein and Vazirani |55j , the linearity of quantum mechanics implies that tiny errors in 
amplitudes will not be magnified during a quantum computation. 

I now proceed to the argument that Wolfram's thread hypothesis is inconsistent 
with causal invariance and relativity. Let 1Z be a set of graph updating rules, which 
might be probabilistic. Then consider the following four assertions (which, though not 
mathematically precise, will be clarified by subsequent discussion). 

(1) 1Z satisfies causal invariance. That is, given any initial graph (and choice of random- 
ness if 7Z is probabilistic), 7Z yields a unique causal network. 
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(2) 1Z satisfies the relativity postulate. That is, assuming the causal network approx- 
imates a flat Minkowski spacetime at a large enough scale, there are no preferred 
inertial frames. 

(3) 1Z permits Bell inequality violations. 

(4) Any updating rule in TZ is always considered to act on a fixed graph, not on a distri- 
bution or superposition over graphs. This is true even if parts of the initial graph 
are chosen at random, and even if TZ is probabilistic. 

The goal is to show that, for any TZ, at least one of these assertions is false. Current 
physical theory would suggest that (l)-(3) are true and that (4) is false. Wolfram, if I 
understand him correctly, starts with (4) as a premise, and then introduces causal invariance 
to satisfy (1) and (2), and long-range threads to satisfy (3). Of course, even to state the 
two-party Bell inequalities requires some notion of randomness. And on pages 299-326, 
Wolfram discusses three mechanisms for introducing randomness into a system: randomness 
in initial conditions, randomness from the environment (i.e. probabilistic updating rules), 
and intrinsic randomness (i.e. deterministic rules that produce pseudorandom output). 
However, all of these mechanisms are compatible with (4), and so my argument will show 
that they are inadequate assuming (l)-(3). The conclusion is that, in a model of the sort 
Wolfram considers, randomness must play a more fundamental role than he allows. 

In a standard Bell experiment, Alice and Bob are given input bits xa and xb 
respectively, chosen uniformly and independently at random. Their goal is, without com- 
municating, to output bits da and ys respectively such that yA® Ub =iaA xb- Under 
any 'local hidden variable' theory, Alice and Bob can succeed with probability at most 3/4; 
the optimal strategy is for them to ignore their inputs and output (say) yA = and ys = 0. 
However, suppose Alice has a qubit pa and Bob a ps, that are jointly in the Bell state 
(| 00) + 1 11)) /\/2. Then there is a protocol 4 by which they can succeed with probability 
(5 + V2) /8 ss 0.802. 

To model this situation, let A and B, corresponding to Alice and Bob, be disjoint 
subgraphs of a graph G. Suppose that, at a large scale, G approximates a Euclidean 
space of some dimension; and that any causal network obtained by applying updates to 
G approximates a Minkowski spacetime. One can think of G as containing long-range 
threads from i to B, though the nature of the threads will not affect the conclusions. 
Encode Alice's input xa by (say) placing an edge between two specific vertices in A if and 
only if xa = 1- Encode xb similarly, and also supply Alice and Bob with arbitrarily 
many correlated random bits. Finally, let us stipulate that at the end of the protocol, 
there is an edge between two specific vertices in A if and only if yA = 1, and similarly for 
ys- A technicality is that we need to be able to identify which vertices correspond to xa, 
yA, and so on, even as G evolves over time. We could do this by stipulating that (say) 
"the xa vertices are the ones that are roots of complete binary trees of depth 3," and then 
choosing the rule set to guarantee that, throughout the protocol, exactly two vertices have 
this property. 

4 If xa = 1 then Alice applies a n/8 phase rotation to pA, and if xb — 1 then Bob applies a — ir/8 rotation 
to ps- Both parties then measure in the standard basis and output whatever they observe. 
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Call a variable 'touched' after an update has been applied to a subgraph containing 
any of the variable's vertices. Also, let Z be an assignment to all random variables: that 
is, xa, %b, the correlated random bits, and the choice of randomness if 1Z is probabilistic. 
Then for all Z we need the following, based on what observers in different inertial frames 
could perceive: 

(i) There exists a sequence of updates under which yA is output before any of Bob's 
variables are touched. 

(ii) There exists another sequence under which ys is output before any of Alice's variables 
are touched. 

Now it is easy to see that, if a Bell inequality violation occurs, then causal invari- 
ance must be violated. Given Z, let (Z), y^p (Z) be the values of yA, Vb that are output 
under rule sequence (i), and let y A (Z), y y B ' (Z) be the values output under sequence (ii). 
Then there must exist some Z for which either yty (Z) ^ y^ (Z) or y^ (Z) ^ (Z) — for 
if not, then the entire protocol could be simulated under a local hidden variable model. It 
follows that the outcome of the protocol can depend on the order in which updates are 
applied. 

To obtain a Bell inequality violation, something like the following seems to be 
needed. We can encode 'hidden variables' into G, representing the outcomes of the possible 
measurements Bob could make on pb- (We can imagine, if we like, that the update rules 
are such that observing any one of these variables destroys all the others. Also, we make no 
assumption of contextuality.) Then, after Alice measures pa, using the long-range threads 
she updates Bob's hidden variables conditioned on her measurement outcome. Similarly, 
Bob updates Alice's hidden variables conditioned on his outcome. Since at least one party 
must access its hidden variables for there to be Bell inequality violations, causal invariance 
is still violated. But a sort of probabilistic causal invariance holds, in the sense that if 
we marginalize out A (the 'Alice' part of G), then the distribution of values for each of 
Bob's hidden variables is the same before and after Alice's update. The lesson is that, if 
we want both causal invariance and Bell inequality violations, then we need to introduce 
probabilities at a fundamental level — not merely to represent Alice and Bob's subjective 
uncertainty about the state of G, but even to define whether a set of rules is or is not causal 
invariant. 

Note that I made no assumption about how the random bits were generated — i.e. 
whether they were 'truly random' or were the pseudorandom output of some updating rule. 
The conclusion is also unaffected if we consider a 'deterministic' variant of Bell's theorem due 
to Greenberger, Home, and Zeilinger 136 . There three parties, Alice, Bob, and Charlie, are 
given input bits xa, xb, and xq respectively, satisfying the promise that xa © %b © %c = 0. 
The goal is to output bits yA, Vb, and yc such that yA ® Vb ® Vc = X A V xb V xc- 
Under a local hidden variable model, there is no protocol that succeeds on all four possible 
inputs; but if the parties share the GHZ state (|011) + |101) + 1 110) - |000)) /2, then such 
a protocol exists. However, although the output is correct with certainty, assuming causal 
invariance one cannot implement the protocol without introducing randomness into the 
underlying rules, exactly as in the two-party case. 
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After a version of the above argument was sent to Wolfram, Todd Rowland, an 
employee of Wolfram, sent me email claiming that the argument fails for the following 
reason. I assumed that there exist two sequences of updating events, one in which Alice's 
measurement precedes Bob's and one in which Bob's precedes Alice's. But I neglected 
the possibility that a single update, call it E, is applied to a subgraph that straddles the 
long-range threads. The event E would encompass both Alice and Bob's measurements, so 
that neither would precede the other in any sequence of updates. We could thereby obtain 
a rule set 1Z satisfying assertions (1), (3), and (4). 

I argue that such an 1Z would nevertheless fail to satisfy (2). For in effect we start 
with a flat Minkowski spacetime, and then take two distinct events that are simultaneous 
in a particular inertial frame, and identify them as being the same event E. This can be 
visualized as 'pinching together' two horizontally separated points on a spacetime diagram. 
(Actually a whole 'V of points must be pinched together, since otherwise entanglement 
could not have been created.) However, what happens in a different inertial frame? It 
would seem that E, a single event, is perceived to occur at two separate times. That by 
itself might be thought acceptable, but it implies that there exists a class of preferred inertial 
frames: those in which E is perceived to occur only once. Of course, even in a flat spacetime, 
one could designate as 'preferred' those frames in which Alice and Bob's measurements are 
perceived to be simultaneous. A crucial distinction, though, is that there one only obtains 
a class of preferred frames after deciding which event at Alice's location, and which at Bob's 
location, should count as the 'measurement.' Under Rowland's hypothesis, by contrast, 
once one decides what counts as the measurement at Alice's location, the decision at Bob's 
location is made automatically, because of the identification of events that would otherwise 
be far apart. 
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Chapter 13 

Complexity Theory of Quantum 
States 

In my view, the central weakness in the arguments of quantum computing skeptics 
is their failure to suggest any answer the following question: Exactly what property separates 
the quantum states we are sure we can create, from the states that suffice for Shor's factoring 
algorithm? 

I call such a property a "Sure/Shor separator." The purpose of this chapter is 
to develop a mathematical theory of Sure/Shor separators, and thereby illustrate what I 
think a scientific discussion about the possibility of quantum computing might look like. 
In particular, I will introduce tree states, which informally are those states G H® n 
expressible by a polynomial-size 'tree' of addition and tensor product gates. For example, 
a |0)® n + /3|l)® n and (a |0) + (3\l))® n are both tree states. Section fl3. II provides the 
philosophical motivation for thinking of tree states as a possible Sure/Shor separator; then 
Section 113.21 formally defines tree states and many related classes of quantum states. Next, 
Section 113.31 investigates basic properties of tree states. Among other results, it shows 
that any tree state is representable by a tree of polynomial size and logarithmic depth; and 
that most states do not even have large inner product with any tree state. Then Section 
113.41 shows relationships among tree size, circuit size, bounded-depth tree size, Vidal's x 
complexity |236| . and several other measures. It also relates questions about quantum state 
classes to more traditional questions about computational complexity classes. 

But the main results of the chapter, proved in Section 113.51 are lower bounds 
on tree size for various natural families of quantum states. In particular, Section 113.5.11 
analyzes "subgroup states," which are uniform superpositions \S) over all elements of a 
subgroup S < Zg. The importance of these states arises from their central role in sta- 
bilizer codes, a type of quantum error-correcting code. I first show that if S is chosen 
uniformly at random, then with high probability \S) cannot be represented by any tree of 
size n°( logn ). This result has a corollary of independent complexity-theoretic interest: the 
first superpolynomial gap between the formula size and the multilinear formula size of a 
function / : {0, l} n — ► K. I then present two improvements of the basic lower bound. First, 
I show that a random subgroup state cannot even be approximated well in trace distance by 
any tree of size n°^° sn \ Second, I "derandomize" the lower bound, by using Reed-Solomon 
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codes to construct an explicit subgroup state with tree size n^ logn ). 

Section 113.5.21 analyzes the states that arise in Shor's factoring algorithm — for 
example, a uniform superposition over all multiples of a fixed positive integer p, written in 
binary. Originally, I had hoped to show a superpolynomial tree size lower bound for these 
states as well. However, I am only able to show such a bound assuming a number-theoretic 
conjecture. 

The lower bounds use a sophisticated recent technique of Raz 1951 1196] . which was 
introduced to show that the permanent and determinant of a matrix require superpolynomial- 
size multilinear formulas. Currently, Raz's technique is only able to show lower bounds of 
the form n^ logn \ but I conjecture that 2^( n ) lower bounds hold in all of the cases discussed 
above. 

One might wonder how superpolynomial tree size relates to more physical proper- 
ties of a quantum state. Section [13.5.31 addresses this question, by pointing out how Raz's 
lower bound technique is connected to a notion that physicists call "persistence of entan- 
glement" |711 HUUj . On the other hand, I also give examples showing that the connection 
is not exact. 

Section 113.61 studies a weakening of tree size called "manifestly orthogonal tree 
size," and shows that this measure can sometimes be characterized exactly, enabling us to 
prove exponential lower bounds. The techniques in Section [13.61 might be of independent 
interest to complexity theorists — one reason being that they do not obviously "naturalize" 
in the sense of Razborov and Rudich 200 . 

Section H3.7I addresses the following question. If the state of a quantum computer 
at every time step is a tree state, then can the computer be simulated classically? In 
other words, letting TreeBQP be the class of languages accepted by such a machine, does 
TreeBQP = BPP? A positive answer would make tree states more attractive as a Sure/Shor 
separator. For once we admit any states incompatible with the polynomial-time Church- 
Turing thesis, it seems like we might as well go all the way, and admit all states preparable 
by polynomial-size quantum circuits! Although I leave this question open, I do show that 
TreeBQP C Z3 n IHg , where Z3 n rig is the third level of the polynomial hierarchy PH. By 
contrast, it is conjectured that BQP <f_ PH, though admittedly not on strong evidence. 

Section 113.81 discusses the implications of these results for experimental physics. 
It advocates a dialectic between theory and experiment, in which theorists would propose 
a class of quantum states that encompasses everything seen so far, and then experimenters 
would try to prepare states not in that class. It also asks whether states with superpolyno- 
mial tree size have already been observed in condensed-matter systems; and more broadly, 
what sort of evidence is needed to establish a state's existence. Other issues addressed in 
Section 113.81 include how to deal with mixed states and particle position and momentum 
states, and the experimental relevance of asymptotic bounds. I conclude in Section 113.91 
with some open problems. 

13.1 Sure/Shor Separators 

Given the discussion in Chapter 1121 I believe that the challenge for quantum computing 
skeptics is clear. Ideally, come up with an alternative to quantum mechanics — even an 
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Shor States (suffice for 
nontrivial factoring) 




Allowed by GRW theory \ 



Sure States (already 
demonstrated) 




,' Allowed by local hidden » 
variable theories 




Figure 13.1: A Sure/Shor separator must contain all Sure states but no Shor states. That 
is why neither local hidden variables nor the GRW theory yields a Sure/Shor separator. 



idealized toy theory — that can account for all present-day experiments, yet would not al- 
low large-scale quantum computation. Failing that, at least say what you take quantum 
mechanics ' domain of validity to be. One way to do this would be to propose a set S of 
quantum states that you believe corresponds to possible physical states of affairs. 1 The 
set S must contain all "Sure states" (informally, the states that have already been demon- 
strated in the lab), but no "Shor states" (again informally, the states that can be shown to 
suffice for factoring, say, 500-digit numbers). If S satisfies both of these constraints, then 
I call S a Sure/Shor separator (see Figure 13.1). 

Of course, an alternative theory need not involve a sharp cutoff between possible 
and impossible states. So it is perfectly acceptable for a skeptic to define a "complexity 
measure" C for quantum states, and then say something like the following: If \ijj n ) 
is a state of n spins, and C (\ip n )) is at most, say, n 2 , then I predict that \ip n ) can be 
prepared using only "polynomial effort." Also, once prepared, \ip n ) will be governed by 
standard quantum mechanics to extremely high precision. All states created to date have 
had small values of C (\ip n )). However, if C (\ip n )) grows as, say, 2 n , then I predict that 
\ip n ) requires "exponential effort" to prepare, or else is not even approximately governed by 
quantum mechanics, or else does not even make sense in the context of an alternative theory. 
The states that arise in Shor's factoring algorithm have exponential values of C (\ip n )). So 
as my Sure/Shor separator, I propose the set of all infinite families of states {|VVi)} n >i> 
where \ip n ) has n qubits, such that C (|VVi)) < pin) for some polynomial p. 

To understand the importance of Sure/Shor separators, it is helpful to think 
through some examples. A major theme of Levin's arguments was that exponentially 
small amplitudes are somehow unphysical. However, clearly we cannot reject all states 
with tiny amplitudes — for would anyone dispute that the state 2~ 5000 (|0) + |i})® 10000 i s 

X A skeptic might also specify what happens if a state £ S is acted on by a unitary U such that 
U $l S, but this will not be insisted upon. 
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|0>1 |1>i |0> 2 |1> 2 



Figure 13.2: Expressing ( 1 00) + 1 01) + 1 10) — |11)) /2 by a tree of linear combination and 
tensor product gates, with scalar multiplication along edges. Subscripts denote the identity 
of a qubit. 

formed whenever 10,000 photons are each polarized at 45°? Indeed, once we accept \ip) 
and \ip) as Sure states, we are almost forced to accept \tp) ® \ip) as well — since we can imag- 
ine, if we like, that and \ip) are prepared in two separate laboratories. 2 So considering 
a Shor state such as 

^ 2 n -l 
r=0 

what property of this state could quantum computing skeptics latch onto as being physically 
extravagant? They might complain that |<£) involves entanglement across hundreds or 
thousands of particles; but as mentioned in Chapter 1121 there are other states with that 
same property, namely the "Schrodinger cats" (|0)® n + |l)® n ) /V%, that should be regarded 
as Sure states. Alternatively, the skeptics might object to the combination of exponentially 
small amplitudes with entanglement across hundreds of particles. However, simply viewing 
a Schrodinger cat state in the Hadamard basis produces an equal superposition over all 
strings of even parity, which has both properties. We seem to be on a slippery slope 
leading to all of quantum mechanics! Is there any defensible place to draw a line? 

The dilemma above is what led me to propose tree states as a possible Sure/Shor 
separator. The idea, which might seem more natural to logicians than to physicists, is this. 
Once we accept the linear combination and tensor product rules of quantum mechanics — 
allowing a\?p) +(3\ip) and <g> \ ip) into our set S of possible states whenever \tj)) , \ip) € S — 
one of our few remaining hopes for keeping S a proper subset of the set of all states is to 
impose some restriction on how those two rules can be iteratively applied. In particular, 
we could let S be the closure of {|0) , |1)} under a polynomial number of linear combinations 
and tensor products. That is, S is the set of all infinite families of states {|V ; n)} n >i with 
\i> n ) € Hf n , such that \^ n ) can be expressed as a "tree" involving at most p in) addition, 
tensor product, |0), and |1) gates for some polynomial p (see Figure 13.2). 

2 It might be objected that in some theories, such as Chern-Simons theory, there is no clear tensor product 
decomposition. However, the relevant question is whether \ifj) (g> \ip) is a Sure state, given that \ip) and \ip) 
are both Sure states that are well-described in tensor product Hilbert spaces. 
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To be clear, I am not advocating that "all states in Nature are tree states" as a 
serious physical hypothesis. Indeed, even if I believed firmly in a breakdown of quantum 
mechanics, 3 there are other choices for the set S that seem equally reasonable. For example, 
define orthogonal tree states similarly to tree states, except that we can only form the linear 
combination a \ip) + (3 \ip) if (ip\<p) = 0. Rather than choose among tree states, orthogonal 
tree states, and the other candidate Sure/Shor separators that occurred to me, my approach 
will be to prove everything I can about all of them. If I devote more space to tree states 
than to others, that is simply because tree states are the subject of the most interesting 
results. On the other hand, if one shows (for example) that {|VVi)} is not a tree state, 
then one has also shown that is not an orthogonal tree state. So many candidate 

separators are related to each other; and indeed, their relationships will be a major theme 
of the chapter. 

In summary, to debate whether quantum computing is fundamentally impossible, 
we need at least one proposal for how it could be impossible. Since even skeptics admit that 
quantum mechanics is valid within some "regime," a key challenge for any such proposal is to 
separate the regime of acknowledged validity from the quantum computing regime. Though 
others will disagree, I do not see any choice but to identify those two regimes with classes 
of quantum states. For gates and measurements that suffice for quantum computing have 
already been demonstrated experimentally. Thus, if we tried to identify the two regimes 
with classes of gates or measurements, then we could equally well talk about the class of 
states on which all 1- and 2-qubit operations behave as expected. A similar argument 
would apply if we identified the two regimes with classes of quantum circuits — since any 
"memory" that a quantum system retains of the previous gates in a circuit, is part of the 
system's state by definition. So: states, gates, measurements, circuits — what else is there? 

I should stress that none of the above depends on the interpretation of quantum 
mechanics. In particular, it is irrelevant whether we regard quantum states as "really out 
there" or as representing subjective knowledge — since in either case, the question is whether 
there can exist systems that we would describe by based on their observed behavior. 

Once we agree to seek a Sure/Shor separator, we quickly find that the obvious 
ideas — based on precision in amplitudes, or entanglement across of hundreds of particles — 
are nonstarters. The only idea that seems plausible is to limit the class of allowed quantum 
states to those with some kind of succinct representation. That still leaves numerous 
possibilities; and for each one, it might be a difficult problem to decide whether a given 
\ip) is succinctly representable or not. Thus, constructing a useful theory of Sure/Shor 
separators is a nontrivial task. This chapter represents a first attempt. 

13.2 Classifying Quantum States 

In both quantum and classical complexity theory, the objects studied are usually sets of 
languages or Boolean functions. However, a generic n-qubit quantum state requires ex- 
ponentially many classical bits to describe, and this suggests looking at the complexity of 
quantum states themselves. That is, which states have polynomial-size classical descrip- 
tions of various kinds? This question has been studied from several angles by Aharonov 

3 which I don't 
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AmpP 




<£--- Non-containment Classical 



Figure 13.3: Known relations among quantum state classes. 

and Ta-Shma [23]; Janzing, Wocjan, and Beth [HHj; Vidal fH)]; and Green et al. [HI]. 
Here I propose a general framework for the question. For simplicity, I limit myself to pure 
states \ip n ) 6 7if n with the fixed orthogonal basis {\x} : x £ {0, 1}™}. Also, by 'states' I 
mean infinite families of states {\ip n )} n >i- 

Like complexity classes, pure quantum states can be organized into a hierarchy 
(see Figure 13.3). At the bottom are the classical basis states, which have the form \x) for 
some x £ {0, l} n . We can generalize classical states in two directions: to the class (8>i of 
separable states, which have the form {a\ |0) + j3\ |1)) <8> • • • <8> (a n |0) + (3 n |1)); and to the 
class T-t, which consists of all states \ip n ) that are superpositions of at most p(n) classical 
states, where p is a polynomial. At the next level, ®2 contains the states that can be 
written as a tensor product of H\ states, with qubits permuted arbitrarily. Likewise, Z2 
contains the states that can be written as a linear combination of a polynomial number of 
8>i states. We can continue indefinitely to Z3, (8)3, etc. Containing the whole 'tensor-sum 
hierarchy' Uk^k = Uk<S>k is the class Tree, of all states expressible by a polynomial-size tree 
of additions and tensor products nested arbitrarily. Formally, Tree consists of all states 
\ip n ) such that TS (\ip n )) < p{n) for some polynomial p, where the tree size TS(IV'n)) is 
defined as follows. 

Definition 70 A quantum state tree over Tlf n is a rooted tree where each leaf vertex is 
labeled with a\0) + /3\1) for some a,f3 £ C, and each non-leaf vertex (called a gate) is 
labeled with either + or (g). Each vertex v is also labeled with a set S (v) C {1, . . . , n}, such 
that 

(i) If v is a leaf then \S {v)\ = 1, 

(ii) If v is the root then S (v) = {1, . . . , n}, 
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(Hi) If v is a + gate and w is a child of v, then S (w) = S (v), 

(iv) If v is a <8> gate and w\,...,Wk are the children of v, then S {w\) , . . . , S (wk) are 
pairwise disjoint and form a partition of S (v) . 

Finally, if v is a + gate, then the outgoing edges of v are labeled with complex 
numbers. For each v, the subtree rooted at v represents a quantum state of the qubits in 
S (v) in the obvious way. We require this state to be normalized for each v. A 

We say a tree is orthogonal if it satisfies the further condition that if v is a + 
gate, then any two children w±,W2 of v represent \ipi) ,\ip2) with (ipilfa) = 0. If the 
condition (ipi\ip2) = can be replaced by the stronger condition that for all basis states \x), 
either (ipi\x) = or (-02 \x) = 0, then we say the tree is manifestly orthogonal. Manifest 
orthogonality is an extremely unphysical definition; I introduce it because it turns out to 
be interesting from a lower bounds perspective. 

For reasons of convenience, let us define the size \T\ of a tree T to be the number 
of leaf vertices. Then given a state G 7if n , the tree size TS (\ip)) is the minimum 
size of a tree that represents \ip). The orthogonal tree size OTS(|^)) and manifestly 
orthogonal tree size MOTS(|V>)) are defined similarly. Then OTree is the class of \tp n ) 
such that OTS(|V>n)) < p(n) for some polynomial p, and MOTree is the class such that 
MOTS (|VVi)) < p (n) for some p. 

It is easy to see that 

n < TS (IV')) < OTS (|V)) < MOTS (|V>)) < n2 n 

for every \tp), and that the set of \tp) such that TS (\ip)) < 2 n has measure in Hf n . Two 
other important properties of TS and OTS follows: 

Proposition 71 

(i) TS and OTS are invariant under locaf basis changes, up to a constant factor of 2. 

(ii) If \(j)) is obtained from \tp) by applying a k-qubit unitary, then TS (|V>)) < kA k TS (\tp)) 
and OTS (|0)) < M fe OTS(|V)). 

Proof. 

(i) Simply replace each occurrence of |0) in the original tree by a tree for a |0) + (3 |1), 
and each occurrence of 1 1) by a tree for 7 |0) + 8 |1), as appropriate. 

(ii) Suppose without loss of generality that the gate is applied to the first k qubits. Let 
T be a tree representing \tp), and let T y be the restriction of T obtained by setting 
the first k qubits to y £ {0,l} k . Clearly \T y \ < \T\. Furthermore, we can express 
\4>) in the form J2 ye {o i} k ^yT y , where each S y represents a /c-qubit state and hence is 
expressible by a tree of size k2 k . 

4 Requiring only the whole tree to represent a normalized state clearly yields no further generality. 
5 Several people told me that a reasonable complexity measure must be invariant under all basis changes. 
Alas, this would imply that all pure states have the same complexity! 
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One can also define the e- approximate tree size TS e to be the minimum size 
of a tree representing a state \tp) such that K^l^)) 2 > 1 — e, and define OTS e (|^>)) and 
MOTS £ (|V)) similarly. 

Definition 72 An arithmetic formula (over the ring C and n variables) is a rooted bi- 
nary tree where each leaf vertex is labeled with either a complex number or a variable in 
{x\, . . . , x n }, and each non-leaf vertex is labeled with either + or x . Such a tree represents 
a polynomial p(xi,... ,x n ) in the obvious way. We call a polynomial multilinear if no 
variable appears raised to a higher power than 1, and an arithmetic formula multilinear if 
the polynomials computed by each of its subtrees are multilinear. 

The size |<3?| of a multilinear formula <3? is the number of leaf vertices. Given a 
multilinear polynomial p, the multilinear formula size MFS (p) is the minimum size of a 
multilinear formula that represents p. Then given a function / : {0,l} n —* C, we define 

MFS (/) = min MFS (p) . 

p : p(x)=f(x) Va;e{0,l}" 

(Actually p turns out to be unique |184j .) We can also define the e-approximate multilinear 
formula size of /, 

MFS e (/) = min MFS (p) 

v ■■ ||j>-/||!<e 

where \\p— f\\% = Y2xe{o u» \p(x) — f (x)\ 2 . (This metric is closely related to the inner 
product J2xP ( X T f but is often more convenient to work with.) Now given a state 
\ip) = Ylxe{o i}" ax l x ) ^ n ^f"> ftp be the function from {0, l} n to C defined by (x) = 

Theorem 73 For all 

(i) MFS(/^) = 0(TS(M)). 

(ii) TS(|^)) = 0(MFS(/ v ,) + n). 

(Hi) MFS<5 (U) = O (TS £ (|V))) where 5 = 2- 2 V / T^7. 
(iv) TS 2£ (|V)) =0(MFS £ (U) + n). 
Proof. 

(i) Given a tree representing \ip), replace every unbounded fan-in gate by a collection of 
binary gates, every (g) by x, every |1)^ vertex by Xj, and every |0)j vertex by a formula 
for 1 — Xi. Push all multiplications by constants at the edges down to x gates at the 
leaves. 
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(ii) Given a multilinear formula $ for let p (v) be the polynomial computed at vertex v 
of <3?, and let S (u) be the set of variables that appears in p (v). First, call $ syntactic 
if at every x gate with children v and to, S (v) H S (w) = 0. A lemma of Raz 195 
states that we can always make $ syntactic without increasing its size. 

Second, at every + gate u with children v and w, enlarge both S (v) and S (w) to 
S (v ) U S (w), by multiplying p (v) by Xj + (1 — Xj) for every Xi £ S (w) \ S (v), and 
multiplying p(w) by Xj + (1 — Xj) for every Xj £ S (v) \ S(w). Doing this does 
not invalidate any x gate that is an ancestor of u, since by the assumption that 
<3? is syntactic, p (u) is never multiplied by any polynomial containing variables in 
S (v ) U S (w). Similarly, enlarge S (r) to {xi, . . . , x n } where r is the root of <I>. 

Third, call v max-lincar if = 1 but 15(^)1 > 1 where w is the parent of v. 

If v is max- linear and p(v) = a + bxi, then replace the tree rooted at v by a tree 
computing a \0) i + (a + b) Also, replace all multiplications by constants higher in 
<J> by multiplications at the edges. (Because of the second step, there are no additions 
by constants higher in $.) Replacing every x by ® then gives a tree representing 
\ip), whose size is easily seen to be O (|$| + n) . 

(hi) Apply the reduction from part (i). Let the resulting multilinear formula compute 
polynomial p; then 

2 \p{x)- U{x)\ 2 = 2-2 Y, p{x)J^{x)<2-2^/l^~e = 5. 

xg{o,i}" xe{o,ir 



(iv) Apply the reduction from part (ii). Let (/?x) x e{o l}' 1 ' 3e ^ ne resulting amplitude vector; 
since this vector might not be normalized, divide each f3 x by ^2 X \P X \ 2 to produce X . 
Then 



a. 



xe{o,i} r 



xe{o,i} r 



>i-. J E \&-p*\ 2 + J E i^- a *i 



xe{o,i} n 



xe{o,i} n 



>l--(2^) 2 = l-2e. 



Besides Tree, OTree, and MOTree, four other classes of quantum states deserve 

mention: 

Circuit, a circuit analog of Tree, contains the states \tp n ) = a x |x) such that for 
all n, there exists a multilinear arithmetic circuit of size p (n) over the complex numbers 
that outputs a x given x as input, for some polynomial p. (Multilinear circuits are the 
same as multilinear trees, except that they allow unbounded fanout — that is, polynomials 
computed at intermediate points can be reused arbitrarily many times.) 
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AmpP contains the states \ip n ) = ^i q i \ x ) such that for all n,b, there exists a 
classical circuit of size p (n + b) that outputs a x to b bits of precision given x as input, for 
some polynomial p. 

Vidal contains the states that are 'polynomially entangled' in the sense of Vidal 
236 . Given a partition of {1, ...,n} into A and B, let x^dV'n)) be the minimum A; 
for which \ip n ) can be written as J2i=i a i l^t) ® Iv 7 ?)) where |y>^) an d ) are states of 
qubits in A and i? respectively. (xa (IVVi)) is known as the Schmidt rank; see |182j for 
more information.) Let xdV'n)) = max^ XA (IV'n))- Then |^ n ) € Vidal if and only if 
X (IV'n)) < P (i) for some polynomial p. 

v|/P contains the states |V>n) such that for all n and e > 0, there exists a quantum 
circuit of size p (n + log (1/e)) that maps the all-0 state to a state some part of which has 
trace distance at most 1— s from \if) n ), for some polynomial p. Because of the Solovay-Kitaev 
Theorem |153l \1H'2\ . WP is invariant under the choice of universal gate set. 

13.3 Basic Results 

Before studying the tree size of specific quantum states, it would be nice to know in general 
how tree size behaves as a complexity measure. In this section I prove three rather nice 
properties of tree size. 

Theorem 74 For all e > 0, there exists a tree representing \t/j) of size O (tS (\ip)) 1+£ ^j and 

depth O (log TS (\ip))), as well as a manifestly orthogonal tree of size 
and depth O (log MOTS 

Proof. A classical theorem of Brent |7U| says that given an arithmetic formula 
<]?, there exists an equivalent formula of depth 0(log|#|) and size 0(|<3?| c ), where c is a 
constant. Bshouty, Cleve, and Eberly [73] (see also Bonet and Buss |62| 'l improved Brent's 
theorem to show that c can be taken to be 1 + e for any e > 0. So it suffices to show that, 
for 'division- free' formulas, these theorems preserve multilinearity (and in the MOTS case, 
preserve manifest orthogonality). 

Brent's theorem is proven by induction on |$|. Here is a sketch: choose a sub- 
formula I of & size between |<&| /3 and 2 |<3?| /3 (which one can show always exists). Then 
identifying a subformula with the polynomial computed at its root, $ (x) can be written as 
G (x) + H (x) I (x) for some formulas G and H. Furthermore, G and H are both obtainable 
from $ by removing / and then applying further restrictions. So |G| and \H\ are both at 
most |<3?| — |/| + O (1). Let $ be a formula equivalent to $ that evaluates G, H, and / 

separately, and then returns G (x) + H (x) I (x). Then <I> is larger than |$| by at most a 
constant factor, while by the induction hypothesis, we can assume the formulas for G, H, 
and I have logarithmic depth. Since the number of induction steps is O (log the total 
depth is logarithmic and the total blowup in formula size is polynomial in |$|. Bshouty, 
Cleve, and Eberly's improvement uses a more careful decomposition of but the basic 
idea is the same. 

Now, if $ is syntactic multilinear, then clearly G, H, and / are also syntactic 
multilinear. Furthermore, H cannot share variables with /, since otherwise a subformula 
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of $ containing / would have been multiplied by a subformula containing variables from /. 
Thus multilinearity is preserved. To see that manifest orthogonality is preserved, suppose 
we are evaluating G and H 'bottom up,' and let G v and H v be the polynomials computed 
at vertex v of <£. Let vq = root (I), let v\ be the parent of vq, let v 2 be the parent of vi, and 
so on until Vk = root ($>). It is clear that, for every x, either G VQ (x) = or H vo (x) = 0. 
Furthermore, suppose that property holds for G Vi _ l ,H Vi _ l ; then by induction it holds for 
G Vi , H Vi . If vi is a x gate, then this follows from multilinearity (if and \<p) are manifestly 
orthogonal, then |0) ® |V) and |0) <8> \<p) are also manifestly orthogonal). If v.- L is a + gate, 
then letting supp (p) be the set of x such that p (x) / 0, any polynomial p added to G Vi _ 1 
or H Vi l must have 

supp (p) n (supp (GVj U supp (#^_i)) = 0, 
and manifest orthogonality follows. ■ 

Theorem 75 Any \ip) can beprepared by a quantum circuit of size polynomial inOTS (|V))- 
Thus OTree C v|/P. 

Proof. Let T (\ip)) be the minimum size of a circuit needed to prepare \ip) € Kf n 
starting from |0)® n . The claim, by induction on T (\ip)), is that V (\t())) < q (OTS 
for some polynomial q. The base case OTSd^)) = 1 is clear. Let T be an orthogonal 
state tree for \ip), and assume without loss of generality that every gate has fan- in 2 (this 
increases \T\ by at most a constant factor). Let T\ and T2 be the subtrees of root(T), 
representing states and ^2) respectively; note that \T\ = \T\ \ + \T2\. First suppose 
root (T) is a O gate; then clearly V < T (|-0i>) + T (|^ 2 ))- 

Second, suppose root (T) is a + gate, with = a|^i) + Z?]^) and (V'll^) = 
0. Let U be a quantum circuit that prepares l^i); and V be a circuit that prepares 
\ip 2 ). Then we can prepare a |0) |O) 0n + /3 |1) C/- 1 ^ |0)® n . Observe that [/-^lO) " is 
orthogonal to |0}® n , since = U \0)® n is orthogonal to \ip2) = V |0)® ra . So applying 
a NOT to the first register, conditioned on the OR of the bits in the second register, 
yields |0> (a |O) 0n + &U~ X V |O) 0Tt ) , from which we obtain a + \ifa) by applying U 
to the second register. The size of the circuit used is 0(|£/| + \ V\ +n), with a possible 
constant-factor blowup arising from the need to condition on the first register. If we are 
more careful, however, we can combine the 'conditioning' steps across multiple levels of the 
recursion, producing a circuit of size \ V\ + O (\U\ + n). By symmetry, we can also reverse 
the roles of U and V to obtain a circuit of size \U\ + O {\V\ + n). Therefore 

r (|v)) < min{r (|Vi>) + cv (|v> 2 » + C n, c r (1^2)) + r (|Vi>) + cn} 

for some constant c > 2. Solving this recurrence we find that r(|^>)) is polynomial in 
OTS (|V)). ■ 

Theorem 76 If \ip) G 7if n is chosen uniformly at random under the Haar measure, then 
TSi/i 6 (|V)) = 2 n(n) with probability 1 -o(l). 
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Proof. To generate a uniform random state \ tp) = Y2xe{0 n« a x |x), we can choose 
Q-xiPx for each x independently from a Gaussian distribution with mean and variance 
1, then let a x = (a x + i{3 x ) /y/R where R = ^xg{o,i}™ 

(a& + %). Let 



x : (Rea x ) 2 < 



1 



4-2 ri 



and let Q be the set of \ip) for which |A^,| < 2 n /5. The claim is that Pri^A E Q] = 
1 - o(l). First, EX [R] = 2 n+1 , so by a standard Hoeffding-type bound, Pr [R < 2 n ] is 
doubly-exponentially small in n. Second, assuming R > 2 n , for each x 



Pr [x e A^} < Pr 



erf 



4^/2 



< 0.198, 



and the claim follows by a Chernoff bound. 

For g : {0, l} n — ► M, let A g = {x : sgn (g (x)) / sgn (Rect^)}, where sgn (y) is 1 if 
y > and —1 otherwise. Then if |^) G £/, clearly 



\9 (x) - U (x)\ z > 

xe{o,i} n 



2 - \Ag\ — |A^| 



4- 2 r 



where (x) = Rea x , and thus 



1^1 < (4 \\g-U\\l + l) 2 n - 



Therefore to show that MFS1/15 (fy) = 2^( n ) with probability 1 — o(l), we need only show 
that for almost all Boolean functions / : {0, l} n — * { — 1, 1}, there is no arithmetic formula 
$ of size 2 M such that 



\{x : sgn ($ (x)) ^ f (x)}\ < 0.49 • 2 n . 

Here an arithmetic formula is real-valued, and can include addition, subtraction, and mul- 
tiplication gates of fan-in 2 as well as constants. We do not need to assume multilinearity, 
and it is easy to see that the assumption of bounded fan-in is without loss of generality. Let 
W be the set of Boolean functions sign-represented by an arithmetic formula of size 2°^ n \ 
in the sense that sgn ($ (x)) = / (x) for all x. Then it suffices to show that \W\ = 2 2 ° ( ™ > , 
since the number of functions sign-represented on an 0.51 fraction of inputs is at most 
\W\ ■ 2 2n ^( - 51 ). (Here H denotes the binary entropy function.) 

Let $ be an arithmetic formula that takes as input the binary string x = (xi, . . . , x n ) 
as well as constants ci, eg, . . .. Let <3? c denote 3> under a particular assignment c to c%, C2, . . .. 
Then a result of Gashkov |121j (see also Turan and Vatan |!T30 ]), which follows from War- 
ren's Theorem |237j in real algebraic geometry, shows that as we range over all c, <£ c 
sign-represents at most (2 ra+4 |3>|)'*' distinct Boolean functions, where |3>| is the size of <J>. 
Furthermore, excluding constants, the number of distinct arithmetic formulas of size |<3?| is 
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at most (3|$| 2 ) . When |$| = 2°( n \ this gives (3 |$| 2 ) • (2 n+4 |$|) = 2 2 ° (n> . There- 
fore MFSj/is (/</,) = 2 n ( n ); by Theorem [73J part (iii), this implies that TS 1/16 (|^)) = 2 n < n ). 
■ 

A corollary of Theorem 1761 is the following 'nonamplification' property: there exist 
states that can be approximated to within, say, 1% by trees of polynomial size, but that 
require exponentially large trees to approximate to within a smaller margin (say 0.01%). 

Corollary 77 For all 5 £ (0,1], there exists a state \tp) such that TSj(|^>)) = n but 
TS £ (|V>» = 2"( n ) where e = 5/32 - 5 2 /4096. 

Proof. It is clear from TheoremlTBIthat there exists a state \<p) = Y?,xe{o i} n ° x l x ) 
such that TS 1/16 {\ip)) = 2 n (") and a « = 0. Take \ip) = y/T=6\0)® n + yf8\ip). Since 
|(V>|O) 0ri | = 1 - 5, we have MOTS 5 (\ip)) = n. On the other hand, suppose some \<p) = 
Exe{0,l} n P* \ x ) with TS = 2 ° {n) satisfies \(<j>\ip)\ 2 >l-e. Then 

(V6a x - (3 x y < 2 - 2yT^7. 

Thus, letting / v (x) = a x , we have MFS C (/,,) = O (TS (|0))) where c = (2 - 2 V / T^e) /& 
By TheoremlHl part (iv), this implies that TS 2c (\<p)) = O (TS (|0))). But 2c = 1/16 when 
e = (5/32 - (5 2 /4096, contradiction. ■ 

13.4 Relations Among Quantum State Classes 

This section presents some results about the quantum state hierarchy introduced in Section 
113.21 Theorem 1781 shows simple inclusions and separations, while Theorem 1791 shows that 
separations higher in the hierarchy would imply major complexity class separations (and 
vice versa). 

Theorem 78 

(i) Tree U Vidal C Circuit C AmpP. 

(ii) All states in Vidal have tree size n°^ ogn \ 

(iii) Z 2 C Vidal but <3 2 (£. Vidal. 

(iv) 02 C MOTree. 

(v) T.±, 5^2 ; ^3, <8>l? <8>2> and ®3 are all distinct. Also, <g>3 ^ Z4 n 8)4. 

Proof. 
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(i) 



Tree C Circuit since any multilinear tree is also a multilinear circuit. Circuit C AmpP 
since the circuit yields a polynomial-time algorithm for computing the amplitudes. 
For Vidal C Circuit, we use an idea of Vidal |236| : given \ip n ) G Vidal, for all j G 

{1, . . . , n} we can express \ip n ) as 



£ 

i=l 



a 



1.1 



Jl-i] 



where \ (\ip n )) is polynomially bounded. Furthermore, Vidal showed that each 



Jl-i] 



can be written as a linear combination of states of the form 



and 



Jl-i-1] 



|1) — the point being that the set of 



Ji-i] 



Ji-i-i] 



Ji-i-i] 



<g> |0) 



states is the same, in- 



(ii) 



dependently of 
for \ip n ). 

Given \ip n ) £ Vidal, we can decompose \ip n ) as 



. This immediately yields a polynomial-size multilinear circuit 



8=1 



Jl-n/2] 



, [n/2+l...n] 



Then X (\4'" n/2] )) < x(IV-n)) and X ( 



,[n/2+l...n] 



< x(IV'n)) for all i, so we can 
recursively decompose these states in the same manner. It follows that TS (|Y>n)) < 
2x(|V ; ))TS (l^n/2)); solving this recurrence relation yields TS (| tpn}) < (2x OV'))) 1 ^™ = 

n O(logn)_ 



(iii) 
(iv) 



Z2 C Vidal follows since a sum of t separable states has X 5; ^ while 
from the example of n/2 Bell pairs: 2~ n / 4 (|00) + |ll)) 0ri/2 . 



(£_ Vidal follows 



02 ^ MOTree is obvious, while MOTree <jt (g>2 follows from the example of \Pfy, an 
equal superposition over all n-bit strings of parity i. The following recursive formulas 



imply that MOTS (\P*)) < 4 MOTS 



P 



n/2 



0{n 2 ): 



IP 1 ) 

I n / 



P n/ 2 ) 


^/2) + 


P n/2) 




P n/ 2 ) 


P n/ 2 ) + 


p n/y 





On the other hand, \P n ) ^ ^2 follows from \P n ) ^ Zi together with the fact that \P n ) 
has no nontrivial tensor product decomposition. 

(v) <8>i <f_ Hi and Zi <8>i are obvious. <S>2 *t- ^-2 (and hence <S>i 7^ <S>2) follows from part 
(iii). 2Z2 (g>2 (and hence Zi 7^ Z2) follows from part (iv), together with the fact 
that \P n ) has a Z2 formula based on the Fourier transform: 



\Pr, 




|Q) + |i) 



+ 



|0) 



ID 



V2 
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Y.2 7^ ^3 follows from <S>2 *t- ^2 and (8>2 Q ^3- Also, Z3 <f_ (8)3 follows from 2T2 7^ 
together with the fact that we can easily construct states in Z3 \ 2T2 that have no 
nontrivial tensor product decomposition — for example, 



&>2 7^ ®3 follows from Z2 ^ 02 and 2T2 C 03. Finally, (83 / Z4 n (8)4 follows from 
5Z 3 ^ (8)3 and I 3 Cl 4 n (8)4. 



Theorem 79 

(%) BQP = P #p implies AmpP C VP. 
(iij AmpP C M/P imp/ies NP C BQP/poly. 
(Hi) P = P# p implies VP C AmpP. 
(wj VJ/P C AmpP zmpZies BQP C P/poly. 

Proof. 

(i) First, BQP = P #p implies BQP/poly = P #p /poly, since given a P* p /poly machine 
M, the language consisting of all (x, a) such that M accepts on input x and advice 
a is clearly in BQP. So assume BQP/poly = P# p /poly, and consider a state \ip) = 
Sxe{o i} n ° x \ x ) w ith £ AmpP. By the result of Bernstein and Vazirani that 
BQP C P# p , for all b there exists a quantum circuit of size polynomial in n and b 
that approximates po = Sj/g{o i} n_1 l a 0j/| 2 ) or the probability that the first qubit is 
measured to be 0, to b bits of precision. So by uncomputing garbage, we can prepare 
a state close to A /po |0) + \/l — Po Similarly, given a superposition over length- 
k prefixes of x, we can prepare a superposition over length- (k + 1) prefixes of x by 
approximating the conditional measurement probabilities. We thus obtain a state 
close to Ylx \ a x\ \ x )- The l as t s ^ e P * s t° approximate the phase of each \x), apply that 
phase, and uncompute to obtain a state close to a x \x). 

(ii) Given a SAT instance <p, first use Valiant- Vazirani |231j to produce a formula pJ that 
(with non-negligible probability) has one satisfying assignment if ip is satisfiable and 
zero otherwise. Then let a x = 1 if x is a satisfying assignment for p>' and a x = 
otherwise; clearly = a x \x) is in AmpP. By the assumption AmpP C VP, there 
exists a polynomial-size quantum circuit that approximates and thereby finds the 
unique satisfying assignment for pJ if it exists. 

(iii) As in part (i), P = P* p implies P/poly = P* p /poly. The containment VP C AmpP 
follows since we can approximate amplitudes to polynomially many bits of precision 




in #P. 
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(iv) As is well known |55| . any quantum computation can be made 'clean' in the sense 
that it accepts if and only if a particular basis state (say |0)® n ) is measured. The 
implication follows easily 



13.5 Lower Bounds 

We want to show that certain quantum states of interest to us are not represented by trees 
of polynomial size. At first this seems like a hopeless task. Proving superpolynomial 
formula-size lower bounds for 'explicit' functions is a notoriously hard open problem, as it 
would imply complexity class separations such as NC 1 7^ P. 

Here, though, we are only concerned with multilinear formulas. Could this make 
it easier to prove a lower bound? The answer is not obvious, but very recently, for reasons 
unrelated to quantum computing, Raz |195| I196| showed the first superpolynomial lower 
bounds on multilinear formula size. In particular, he showed that multilinear formulas 
computing the permanent or determinant of an nxn matrix over any field have size n^ logn ). 

Raz's technique is a beautiful combination of the Furst-Saxe-Sipser method of ran- 
dom restrictions pj2Q| , with matrix rank arguments as used in communication complexity. 
I now outline the method. Given a function / : {0, l} n — > C, let P be a partition of the 
input variables x\,...,x n into two collections y = [yi, ■ ■ ■ ,y n /2) and z = {z\, . . . , z n / 2 ) ■ 
This yields a function f P (y, z) : {0, l} n/2 x {0, l} n/2 -> C. Then let M f \ P be a 2 n l 2 x 2 n / 2 
matrix whose rows are labeled by assignments y S {0, l} n//2 , and whose columns are labeled 
by assignments z G {0,1}™^ 2 . The (y,z) entry of Mf\p is fp(y,z). Let rank (Mf\p) be 
the rank of M^p over the complex numbers. Finally, let V be the uniform distribution 
over all partitions P. 

The following, Corollary 3.6 in 196 1, is one statement of Raz's main theorem; 
recall that MFS (/) is the minimum size of a multilinear formula for /. 

Theorem 80 ([196J) Suppose that 

W8, 



Pr 

P&V L 



rank (M f]P ) > 2 "/ 2 "("/ 2 ) ' ' 2 



n -o(logn)_ 



Then MFS (/) = n n ^ n \ 



An immediate corollary yields lower bounds on approximate multilinear formula 
size. Given an N x N matrix M = (rriij), let rank e (M) = min L . ^ L _ M |j2 <£ rank (L) where 

\\ L - M \\l = E£j=i 14/ - m ij\ 2 - 

Corollary 81 Suppose that 



Then MFS £ (/) = n 



Pr 

Per 

f2(log n) 



rank, {M f]P ) > ' ' 2 



n 



-o(log n) 
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Proof. Suppose MFS e (/) = n °^ n \ Then for all g such that ||/ - g\\ 2 2 < e, we 
would have MFS (g) = n°( logn \ and therefore 



Pr 

Pev 



rank (M g|P ) > 2 



n/2-(n/2) 1/8 /2 



n 



-f2(log n) 



by Theorem I8UI But rank e (My|p) < rank (M q |p), and hence 



L 9\l 



Pr 

PeV 



rank, (M /!P ) > 2 ™/ 2 -("/ 2 ) 1/8 / 2 



n 



-f!(log n) 



contradiction. ■ 

Another simple corollary gives lower bounds in terms of restrictions of /. Let 
IZg be the following distribution over restrictions R: choose 21 variables of / uniformly at 
random, and rename them y = (y%, . . . , yg) and z = (z\, . . . , zg). Set each of the remaining 
n — 2£ variables to or 1 uniformly and independently at random. This yields a restricted 
function (y, z). Let Mj\ R be a 2 f ~ x 2 e matrix whose (y, z) entry is fa (y, z). 



Corollary 82 Suppose that 



Pr 

Relit 



rank {M f \ R ) > 2 



1-^/^/2 



n 



-o(log n) 



where I = n 5 for some constant 5 £ (0, 1] . Then MFS (/) = n n ^ n ^ . 

Proof. Under the hypothesis, clearly there exists a fixed restriction g : {0, 1} 
C of /, which leaves 21 variables unrestricted, such that 



2( 



Pr 

Pev 



rank {M g \ P ) > 2 



n 



-o(logn) _ £-o(log£) 



Then by Theorem I8U1 



MFS (/) > MFS (g) = £ n{logi) = n n(logn) . 



The following sections apply Raz's theorem to obtain n n ^° sn ^ tree size lower 
bounds for two classes of quantum states: states arising in quantum error-correction in 
Section 113.5.11 and (assuming a number-theoretic conjecture) states arising in Shor's fac- 
toring algorithm in Section [13.5.21 



13.5.1 Subgroup States 

Let the elements of ZJ> be labeled by n-bit strings. Given a subgroup S < EJ, we define 
the subgroup state \S) as follows: 



| S) 



Witts 
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Coset states arise as codewords in the class of quantum error-correcting codes known as 
stabilizer codes |80U133l l225 . Our interest in these states, however, arises from their large 
tree size rather than their error-correcting properties. 

Let E be the following distribution over subgroups S. Choose an n/2 x n ma- 
trix A by setting each entry to or 1 uniformly and independently. Then let S = 
{x | Ax = 0(mod2)}. By Theorem 1731 part (i), it suffices to lower-bound the multilin- 
ear formula size of the function fg (x), which is 1 if x £ S and otherwise. 

Theorem 83 If S is drawn from 8, then MFS (fs) = n Q ( lo s n ) (and hence TS(\S)) = 
n n(\ogn) ^ yjUJi probability Q (1) over S. 

Proof. Let P be a uniform random partition of the inputs x%, . . . , x n of fs into 
two sets y = (y±,... ,y n /2) and z = (zi, . . . , z n /^). Let M S \ P be the 2™/ 2 x 2 n / 2 matrix 
whose (y, z) entry is f$\p (y, z); then we need to show that rank (Afgip) is large with high 
probability. Let A y be the n/2 x n/2 submatrix of the n/2 x n matrix A consisting 
of all rows that correspond to yi for some i E {1, . . . ,n/2}, and similarly let A z be the 
n/2 x n/2 submatrix corresponding to z. Then it is easy to see that, so long as A y and 
A z are both invertible, for all 2 n l 2 settings of y there exists a unique setting of z for which 
/sip i.Vi z ) = 1- This then implies that Mg\p is a permutation of the identity matrix, and 
hence that rank (M^|p) = 2 n l 2 . Now, the probability that a random n/2 x n/2 matrix 
over 1,2 is invertible is 

1 3 2™/ 2 -l 



2 4 2™/ 2 



> 0.288. 



So the probability that A y and A z are both invertible is at least 0.288 2 . By Markov's 
inequality, it follows that for at least an 0.04 fraction of 5"s, rank (M^|p) = 2 n / 2 for at least 
an 0.04 fraction of P's. Theorem |H01 then yields the desired result. ■ 

Aaronson and Gottesman ^3] showed how to prepare any n-qubit subgroup state 
using a quantum circuit of size O (n 2 /logn). So a corollary of Theorem 1831 is that (/L 
Tree. Since fs clearly has a (non-multilinear) arithmetic formula of size O (nk), a second 
corollary is the following. 

Corollary 84 There exists a family of functions f n : {0, l} n — > R that has polynomial- size 
arithmetic formulas, but no polynomial- size multilinear formulas. 

The reason Corollary 1841 does not follow from Raz's results is that polynomial-size 
formulas for the permanent and determinant are not known; the smallest known formulas 
for the determinant have size n°' logn ' (see |79|). 

We have shown that not all subgroup states are tree states, but it is still conceivable 
that all subgroup states are extremely well approximated by tree states. Let us now rule 
out the latter possibility. We first need a lemma about matrix rank, which follows from 
the Hoffman- Wielandt inequality. 

Lemma 85 Let M be an N x N complex matrix, and let In be the N x N identity matrix. 
Then \\M - I N \\ 2 2 > N - rank(M). 
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Proof. The Hoffman- Wielandt inequality |144j (see also |33j ^ states that for any 
two N x N matrices M, P, 



N 



Y,{°i (M)-ai (P)) 2 <\\M-P\\l, 



i=l 



where cr, (M) is the i th singular value of M (that is, o~i (M) = \ (M), where Ai (M) > 
• • • > Aat (M) > are the eigenvalues of MM* , and M* is the conjugate transpose of M). 
Clearly <7j (In) = 1 for all i. On the other hand, M has only rank(M) nonzero singular 
values, so 

N 

fa (Af) - o-i (J*)) 2 > iV - rank (M) . 



i=i 



Let fs (x) = fs (x) /\/\S\ be fs (x) normalized to have 



fs 



1. 



Theorem 86 For all constants e £ [0, 1), if S is drawn from E , then MFS £ ( fs 
with probability $7 (1) over S. 



n Cl(\ogn) 



Proof. As in Theorem 1831 we look at the matrix M$\p induced by a random 
partition P = (y, z). We already know that for at least an 0.04 fraction of S"s, the y and 
z variables are in one-to-one correspondence for at least an 0.04 fraction of P's. In that 
case \S\ = 2™/ 2 , and therefore M S \ P is a permutation of I/y/\S\ = I/2 n / 4 where / is the 

ii 1 1 2 

identity. It follows from Lemma |H3] that for all matrices M such that \\M — Ms\p\\ 2 < e, 



rank (M) > 2 



n/2 



\S\[M-M 8 \p) >(l-e)2"/ 2 



and therefore rank e (M S |p) > (1 — e) 2 n / 2 . Hence 



Pr 

Pev 



rank £ (M f \ P ) > 2 



n/2-(n/2) 1/8 /2 



> 0.04, 



and the result follows from Corollary 1811 ■ 

A corollary of Theorem l86l and of Theorem l?3l part (hi), is that TS e {\S}) = 
n n(io g n) with probability Q (1) over S, for all e < 1. 

Finally, let me show how to derandomize the lower bound for subgroup states, 
using ideas pointed out to me by Andrej Bogdanov. In the proof of Theorem I83| all we 
needed about the matrix A was that a random k x k submatrix has full rank with f2 (1) 
probability, where k = n/2. If we switch from the field F2 to ¥ 2 d for some d > log 2 n, then 
it is easy to construct explicit k x n matrices with this same property. For example, let 



V 



( 1° 

2° 



\ n° 



l 1 



n 



1 



fc-i 
ifc-i 



11 



k-l 
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be the n x k Vandermonde matrix, where 1, . . . , n are labels of elements in F 2 d. Any k x k 
submatrix of V has full rank, because the Reed-Solomon (RS) code that V represents is 
a perfect erasure code. 6 Hence, there exists an explicit state of n "qupits" with p = 2 d 
that has tree size n fi ( logn ) — namely the uniform superposition over all elements of the set 
{x | V T x = 0}, where V T is the transpose of V. 

To replace qupits by qubits, we concatenate the RS and Hadamard codes to obtain 
a binary linear erasure code with parameters almost as good as those of the original RS 
code. More explicitly, interpret ¥ 2 d as the field of polynomials over F2, modulo some 
irreducible of degree d. Then let m (a) be the d x d Boolean matrix that maps q G F 2 d to 
aq G F 2 d, where q and aq are encoded by their d x 1 vectors of coefficients. Let H map 
a length-d vector to its length-2 rf Hadamard encoding. Then Hm (a) is a 2 d x d Boolean 
matrix that maps q G ¥ 2 <i to the Hadamard encoding of aq. We can now define an n2 d x kd 
"binary Vandermonde matrix" as follows: 



( Hm(l°) Hm^ 1 ) ■■■ Hm (l*" 1 ) \ 
Hm(2°) Hm(2 1 ) ••• Hm(2 k - 1 ) 



bin 



\ Hm (n°) Hm (n 1 ) • • • Hm (n^ 1 ) / 

For the remainder of the section, fix k = n 6 for some 5 < 1/2 and d = O (logn). 

Lemma 87 A (kd + c) x kd submatrix of Vbin chosen uniformly at random has rank kd 
(that is, full rank) with probability at least 2/3, for c a sufficiently large constant. 

Proof. The first claim is that |V[,i n u| > (n — k) 2 d ~ x for all nonzero vectors u € 
F 2 d , where | | represents the number of '1' bits. To see this, observe that for all nonzero u, 
the "codeword vector" Vu G F™ d must have at least n—k nonzero entries by the Fundamental 
Theorem of Algebra, where here u is interpreted as an element of F^- Furthermore, the 
Hadamard code maps any nonzero entry in Vu to 2 d ~ 1 nonzero bits in Vt,[ n u G F 2 2d . 

Now let W be a uniformly random (kd + c) x kd submatrix of Vbin- By the above 
claim, for any fixed nonzero vector u G F 2 rf , 

p rra= o]<( 1 -<»- t r i ) M+c =(- + -) M+c . 

W L J - V n2 J \2 2n) 

So by the union bound, Wu is nonzero for all nonzero u (and hence W is full rank) with 
probability at least 

\2 2n) V n) \2 2n) 

Since k = n 1 / 2- ^ 1 ) and d = O(logn), the above quantity is at least 2/3 for sufficiently 
large c. ■ 

Given an n2 d x 1 Boolean vector x, let f (x) = 1 if V^ n x = and f (x) = 
otherwise. Then: 



6 In other words, because a degrec-(fc — 1) polynomial is determined by its values at any k points. 



146 



Theorem 88 MFS (/) = n n ^ n l 

Proof. Let V y and V z be two disjoint kd x (kd + c) submatrices of V^ in chosen 
uniformly at random. Then by Lemma l87l together with the union bound, V y and V z both 
have full rank with probability at least 1/3. Letting t = kd + c, it follows that 



Pr 



1 



> " = n -o(lagn) 

~ 3 



rank (M f \ R ) > 2 l ~ c 

by the same reasoning as in Theorem E3 Therefore MFS (/) = n ^ Xo ^ by Corollary E2I 



Let \S) be a uniform superposition over all x such that / (x) = 1; then a corollary 
of Theorem ESI is that TS (\S)) = n Q ^ n \ Naturally, using the ideas of Theorem IHH1 one 
can also show that TS E (\S)) = n n( - 10 ^ for all e < 1. 



13.5.2 Shor States 

Since the motivation for this work was to study possible Sure/Shor separators, an obvious 
question is, do states arising in Shor's algorithm have superpolynomial tree size? Unfortu- 
nately, I am only able to answer this question assuming a number-theoretic conjecture. To 
formalize the question, let 

^ 2 n -l 

W2 Yl \r)\x r modN) 

r=0 

be a Shor state. It will be convenient to measure the second register, so that the state of 
the first register has the form 

! 1 

\a + pZ) = — ^2\a + pi) 
v 1 i=0 

for some integers a < p and I = [(2 n — a — 1) jp\ . Here a+pi is written out in binary using 
n bits. Clearly a lower bound on TS (|a + pi)) would imply an equivalent lower bound for 
the joint state of the two registers. 

To avoid some technicalities, assume p is prime (since the goal is to prove a lower 
bound, this assumption is without loss of generality). Given an n-bit string x = x n -\ . . . x$, 
let f n ,p,a(x) = 1 if x = a(modp) and f n ,p,a(%) = otherwise. Then TS (\a + pZ)) = 
(MFS (f n ,p,a)) by Theorem [7H1 so from now on we will focus attention on f n ,p,a- 

Proposition 89 

(i) Let fn tP = f n ,p,o- Then MFS (f n ,p,a) < MFS (f n +iogp.p), meaning that we can set 
a = without loss of generality. 

(ii) MFS(/ n , p ) = 0(mm{n2 n /p,np}). 



Proof. 
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(i) Take the formula for / n +iogp,p> an d restrict the most significant logp bits to sum 
to a number congruent to -amodp (this is always possible since x — ► 2 n x is an 
isomorphism of Z p ). 

(ii) For MFS (f n ,p) = O (n2 n /p), write out the x's for which f n>p (x) = 1 explicitly. For 
MFS (fnp) = O (np), use the Fourier transform, similarly to Theorem 1781 part (v): 

p— 1 n— 1 



/n,p 0*0 = - V] TT ex P ( ~~~~ ■ 23 x i I ■ 



ft=0 j=0 

This immediately yields a sum-of-products formula of size O (np). 

m 

I now state the number-theoretic conjecture. 

Conjecture 90 There exist constants 7, 5 £ (0, 1) and a prime p = Q ^2 71 ' 5 ^ for which the 
following holds. Let the set A consist of n s elements of {2°, . . . , 2 n_1 } chosen uniformly at 
random. Let S consist of all 2 n& sums of subsets of A, and let Smodp = {xmodp : x £ S}. 
Then 



Pr 

A 



\S modp| > (1 + 7) - 



n -o(log n) _ 



Theorem 91 Conjecture UJIJl imnlies that MFS (/ n ,p) = n n ( lo s n ) and raence TS (\pZ)) = 

n O(logn)_ 

Proof. Let / = / niP and £ = n s . Let it! be a restriction of / that renames 2£ 
variables y\, . . . , ye, zi, . . . , zg, and sets each of the remaining n — 2£ variables to or 1. This 
leads to a new function, fn (y, z), which is 1 if y + z + c = (modp) and otherwise for 
some constant c. Here we are defining y = 2 ai yi + • • • + 2 at yi and z = 2 bl z± + • • • + 2 hl zt 
where a\, . . . , ag, bi, . . . , be are the appropriate place values. Now suppose y modp and 
zmodp both assume at least (1 + 7)j?/2 distinct values as we range over all x £ {0, l} n . 
Then by the pigeonhole principle, for at least ^p possible values of ymodp, there exists a 
unique possible value of zmodp for which y + z + c = (modp) and hence fn (y, z) = 1. 
So rank (Mj|/j) > jp, where Mj\r is the 2 e x 2 IL matrix whose (y,z) entry is fji(y,z). It 
follows that assuming Conjecture 



Pr [rank (M f \ R ) > jp] 



n 



— o(log n) 



Furthermore, jp > 2 e ~^ 8//2 for sufficiently large n since p = n (2 nS y Therefore MFS (/) = 
n n(\o S n) by Corollary EH ■ 

Using the ideas of Theorem I86| one can show that under the same conjecture, 
MFS £ (f niP ) = n n ( lo § n ) and TS e (|pZ)) = n Q ( lo s n ) for all e < 1— in other words, there exist 
Shor states that cannot be approximated by polynomial-size trees. 

Originally, I had stated Conjecture EJ0] without any restriction on how the set S 
is formed. The resulting conjecture was far more general than I needed, and indeed was 
falsified by Carl Pomerance (personal communication). 
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13.5.3 Tree Size and Persistence of Entanglement 

In this section I pursue a deeper understanding of the tree size lower bounds, by discussing 
a physical property of quantum states that is related to error-correction as well as to super- 
polynomial tree size. Diir and Briegel |1UU| call a quantum state "persistently entangled," 
if (roughly speaking) it remains highly entangled even after a limited amount of interaction 
with its environment. As an illustration, the Schrodinger cat state (|0)® n + |l)® n ) /y/2 is 
in some sense highly entangled, but it is not persistently entangled, since measuring a single 
qubit in the standard basis destroys all entanglement. 

By contrast, consider the "cluster states" defined by Briegel and Raussendorf 
[7T] , These states have attracted a great deal of attention because of their application 
to quantum computing via 1-qubit measurements only I194j . For our purposes, a two- 
dimensional cluster state is an equal superposition over all settings of a \fn x y/n array of 
bits, with each basis state having a phase of (— l) r , where r is the number of horizontally or 
vertically adjacent pairs of bits that are both '1'. Diir and Briegel jlUUj showed that such 
states are persistently entangled in a precise sense: one can distill n-partite entanglement 
from them even after each qubit has interacted with a heat bath for an amount of time 
independent of n. 

Persistence of entanglement seems related to how one shows tree size lower bounds 
using Raz's technique. For to apply CorollarylHll one basically "measures" most of a state's 
qubits, then partitions the unmeasured qubits into two subsystems of equal size, and argues 
that with high probability those two subsystems are still almost maximally entangled. The 
connection is not perfect, though. For one thing, setting most of the qubits to or 1 
uniformly at random is not the same as measuring them. For another, Theorem 1801 yields 
n Q(iogn) ^ ree g - ze i ower bounds without the need to trace out a subset of qubits. It suffices 
for the original state to be almost maximally entangled, no matter how one partitions it 
into two subsystems of equal size. 

But what about 2-D cluster states — do they have tree size n^ logn ^? I strongly 
conjecture that the answer is 'y es -' However, proving this conjecture will almost certainly 
require going beyond Theorem I8UI One will want to use random restrictions that respect 
the 2-D neighborhood structure of cluster states — similar to the restrictions used by Raz 
|195j to show that the permanent and determinant have multilinear formula size n^ logn ). 

I end this section by showing that there exist states that are persistently entangled 
in the sense of Diir and Briegel jlOOj . but that have polynomial tree size. In particular, 
Diir and Briegel showed that even one-dimensional cluster states are persistently entangled. 
On the other hand: 



Proposition 92 Let 



E, -|U1^2T^ ; :; <n !■'(/ ,\ 



r2+X2X3-\ \-x n -ix 

2™/ 

x&{0,1} 



Then TS(|V>)) = O (n 4 ) 

Proof. Given bits i, j, k, let Pn) be an equal superposition over all n-bit strings 
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x\ . . . x n such that x\ = i, x r 



k, and X1X2 + • • • + x n ~\x n = j (mod 2). Then 



piOk\ 

n I 



P, 



ilk 




piO()\ 
n/2/ 

piOl 

p«00\ 
n/2/ 

piOl 
r n/2 



poofc\ I 

n/2 J + 

pOOfc\ , 

n/2 j 

poifc\ , 

^n/2 j 

poifc\ , 

W2 / + 



pilO 

-Si/2 

pill 
r n/2 

pilO 
-Si/2 

pill 
^n/2 



p01fe\ I 
«/2 / + 

poife\ , 

V2 / + 

poofc\ , 

r n/2 j + 

poofc\ , 
WJ / + 



pi00\ 

»/2/ 

piOl 
^n/2 



P 



i00\ 
72/ 

piOl 
r n/2 



plOfe\ , 
^n/2 j 

piifc\ , 

n/2 / + 



pllfe 
^n/2 



+ 



piofc\ I 

V2 / + 



pilO 
r n/5 

pill 
-Si/2 

pilO 

-Si/2 

pill 
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Therefore TS 



Finally observe that 



< 16 TS 



|Q) + |1) 
V2 



n/2 



TS 



P*J 
± n 



, and solving this recurrence relation yields 
= O (n 4 ) . 



13.6 Manifestly Orthogonal Tree Size 

This section studies the manifestly orthogonal tree size of coset states: 7 states having the 
form 

Vl°l zee 



where C = {x \ Ax = b} is a coset in Zg. In particular, I present a fzg/ii characterization of 
MOTS (|C)), which enables me to prove exponential lower bounds on it, in contrast to the 
n Q(iogn) i ower bounds for ordinary tree size. This characterization also yields a separation 
between orthogonal and manifestly orthogonal tree size; and an algorithm for computing 
MOTS (| C)) whose complexity is only singly exponential in n. My proof technique is 
independent of Raz's, and is highly tailored to take advantage of manifest orthogonality. 
However, even if this technique finds no other application, it has two features that I hope will 
make it of independent interest to complexity theorists. First, it yields tight lower bounds, 
and second, it does not obviously "naturalize" in the sense of Razborov and Rudich 200 . 
Rather, it takes advantage of certain structural properties of coset states that do not seem 
to hold for random states. 

Given a state recall that the manifestly orthogonal tree size MOTS is the 
minimum size of a tree representing in which all additions are of two states , |^} 
with "disjoint supports" — that is, either {ipi\x) = or {ip2\x) = for every basis state 
\x). Here the size \T\ of T is the number of leaf vertices. We can assume without loss 



7 A11 results apply equally well to the subgroup states of Section 113.5.11 the greater generality of coset 
states is just for convenience. 
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of generality that every + or (g> vertex has at least one child, and that every child of a + 
vertex is a <8> vertex and vice versa. Also, given a set S C {0, 1}™, let 

\S) = -£=Y\x) 

be a uniform superposition over the elements of S, and let M (S) := MOTS (\S)). 

Let C = {x : Ax = b} be a subgroup in Zg, for some A G Z^" and 6 G Z*. Let 
[re] = {1, . . . , re}, and let (7, J) be a nontrivial partition of [n] (one where I and J are both 
nonempty). Then clearly there exist distinct cosets . . . , c\ H ^ in the I subsystem, and 
distinct cosets , . . . , in the J subsystem, such that 

c= (J cf^cf. 



The (T^'s and Cj^'s are unique up to ordering. Furthermore, the quantities C) 

M (cj^^, and M (c^^j remain unchanged as we range over h G [-H]. For this reason I 
suppress the dependence on /i when mentioning them. 

For various sets S, the strategy will be to analyze M (S) / \ S\, the ratio of tree size 
to cardinality. We can think of this ratio as the "price per pound" of S: the number of 
vertices that we have to pay per basis state that we cover. The following lemma says that, 
under that cost measure, a coset is "as good a deal" as any of its subsets: 



cf 



M(C) (M(S) 
- mm 



Lemma 93 For all cosets C, 



\c\ V \s\ 

where the minimum is over nonempty S C C. 

Proof. By induction on n. The base case n = 1 is obvious, so assume the lemma 
true for n—1. Choose S* C C to minimize M (S*) / \ S*\. Let T be a manifestly orthogonal 
tree for \S*) of minimum size, and let v be the root of T. We can assume without loss of 
generality that v is a <g) vertex, since otherwise v has some <g> child representing a set R C S* 
such that M (R) / \R\ < M (S*) / \S*\. Therefore for some nontrivial partition (I, J) of [n], 
and some SJ C {0, l} 171 and S} C {0, 1} |J| , we have 

15*) = |5"f) 
= \S*j\ \S*j\, 
M(S*) = M (S}) + M (Sj) , 

where the last equality holds because if M (S*) < M (SJ) + M(S}), then T was not a 
minimal tree for \S*}. Then 

M(S*) _ M(SJ) + M(S}) _ . ( M(Si) + M(Sj) \ 

~WT ~ \sj\\sj\ " mm V \^\\SJ\ J 
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where the minimum is over nonempty Si C {0, l}' 7 ' and Sj C {0, 1}' J ' such that Si Sj C 
C. Now there must be an h such that SJ C c}^ and S 1 } C Cj^, 
x C would be assigned nonzero amplitude. By the induction hypothesis, 

M(Ci) . fM(Si)\ M(Cj) . fM(Sj) 

— mm — — — — , — — — — = mm 1 



\CA V \sa 7' \cj\ V \sj\ 

where the minima are over nonempty Si C cj and Sj C Cj respectively. Define /? = 

|5/| /M (Sj) and 7 = • \Si\ /M (Si). Then since setting Si := cf ] and Sj := cf ] 
maximizes the four quantities \Si\, \Sj\, \Si\ /M (Si), and \Sj\ /M (Sj) simultaneously, this 
choice also maximizes (3 and 7 simultaneously. Therefore it maximizes their harmonic 
mean, 

Pi \Si\ \Sj\ \s\ 

/3 + 7 M(Si) + M(Sj) M(Sy 

We have proved that setting S := cf^ ® maximizes \S\ /M (S), or equivalently min- 
imizes M (S) / \S\. The one remaining observation is that taking the disjoint sum of 
over all h £ [H] leaves the ratio M (S) / \S\ unchanged. So setting S := C also 
minimizes M (S) / \ S\, and we are done. ■ 

I can now give a recursive characterization of M (C). 

Theorem 94 If n > 2, then 

M(n\ \n\ ■ ( M(Ci)+M(Cj) 
M(C) = |C|mm l \Ci\\ Cj \ 

where the minimum is over nontrivial partitions (I, J) of [n] . 

Proof. The upper bound is obvious; let us prove the lower bound. Let T be a 
manifestly orthogonal tree for \C) of minimum size, and let . . . be the topmost 
(8> vertices in T. Then there exists a partition (S^\ . . . , S^) of C such that the subtree 
rooted at represents 15®). We have 

M(SW) , , , L) M(SW) 



m(sW)+- + m(sW) = su y s(iy J +•••+ s^ 



\s( L )\ 



Now let 7] = mm i (M(S^) /\S®\). We will construct a partition (i?W, . . . , RW) of 
C such that M (rW) / \ R^\ = n for all he [H], which will imply a new tree T' with 
\T'\ < \T\. Choose j G [L] such that M {S&) / \S^\ = 77, and suppose vertex u«J of T 
expresses \S^) as \Si)®\Sj) for some nontrivial partition (I, J). Then 

^ _ M (S&'>) _ M (Si) + M (Sj) 



\SV)\ \Si\\Sj\ 

where M (S^)) = M (Si) + M (Sj) follows from the minimality of T. As in Lemma E31 
there must be an h such that Si C Cj and <Sj C Cj*\ But Lemma E31 then implies that 
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M{Ci)/\d\ < M(Si) /\Si\ and that M(Cj)/\Cj\ < M(Sj)/\Sj\. Combining these 
bounds with |Cj| > \Si\ and \Cj\ > \Sj\, we obtain by a harmonic mean inequality that 

M (Ci ® Cj) M{C!)+M{Cj) M (S}) + M (S*,) = 
\Ci®Cj\ - \Ci\\Cj\ - |SJ||S}| ~ v ' 

So setting 

R (h) ._ c (h) g, for aU ^ G ^ yieldg 

a new tree T' no larger than T. Hence 

by the minimality of T, 

M(C) = \T\ = \T'\ =H-M(d® Cj) = — . ( M (C 7 ) + M (Cj)) . 
■ 

One can express Theorem |M] directly in terms of the matrix A as follows. Let 
M (A) = M (C) = MOTS (|C)) where C = {x : = 6} (the vector 6 is irrelevant, so long 
as Ax = b is solvable). Then 

M (A) = min (V ank (^)+ rank ( A J)- rank ( A ) (M (Aj) + M (Aj))) (*) 



where the minimum is over all nontrivial partitions (A/,Aj) of the columns of A. As a 
base case, if A has only one column, then M (A) = 2 if A = and M (A) = 1 otherwise. 
This immediately implies the following. 

Corollary 95 There exists a deterministic O (n3 n )-time algorithm that computes M(A), 
given A as input. 

Proof. First compute rank (A*) for all 2 n ~ 1 matrices A* that are formed by 
choosing a subset of the columns of A. This takes time O (n 3 2 n ). Then compute M (A*) 
for all A* with one column, then for all A* with two columns, and so on, applying the 
formula Q recursively. This takes time 



£(^V = 0(n3"). 
t=l ^ ' 



Another easy consequence of Theorem 1941 is that the language {A : M (A) < s} is 
in NP. I do not know whether this language is NP-complete but suspect it is. 

As mentioned above, my characterization makes it possible to prove exponential 
lower bounds on the manifestly orthogonal tree size of coset states. 

Theorem 96 Suppose the entries of A £ Z^*" are drawn uniformly and independently at 



random, where k £ 
over A. 



41og 2 re, i\/nln2 . Then M (A) = (n/k 2 ) n{k) with probability 0(1) 



Proof. Let us upper-bound the probability that certain "bad events" occur when 
A is drawn. The first bad event is that A contains an all-zero column. This occurs 
with probability at most 2~ k n = o(l). The second bad event is that there exists a k x d 
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submatrix of A with d > 12k that has rank at most 2k/3. This also occurs with probability 

7 4 xd , then 



o 1 



For we claim that, if A* is drawn uniformly at random from 
Pr [ranker) < r] < 



To see this, imagine choosing the columns of A* one by one. For rank (A*) to be at most r, 
there must be at least d — r columns that are linearly dependent on the previous columns. 
But each column is dependent on the previous ones with probability at most 2 r /2 k . The 
claim then follows from the union bound. So the probability that any k x d submatrix of 
A has rank at most r is at most 



d—r 



¥ 1 < ^ 



d—r 



12k; then the above is at most 
2k 



Set r = 2k/3 and d 

( 2k 
exp <^ 12k log n + y log (12k) - ( 12k 

where we have used the fact that k > 41ogn. 

Assume that neither bad event occurs, and let 



2k\ k 

y ) 3 



(0) ,(0) 



AV\A 



o(l) 



be a partition of the 



columns of A that minimizes the expression Q. Let A« 
AW = A^ otherwise, where 



Af if 



respectively (so that 



A 



(0) 



A 



(0) 



+ 



and 
= n) 



A 



(0) 



A 



(0) 



> 



are the numbers of columns in A?' and ^4 



and 



i(0) 
J 



Likewise. lei ( , A^p 



Af if 



(1) 



> 



A 



(i) 



of the columns of yl^ 1 ), and let A^ 

Continue in this way until an A® is reached such that \A^ 
consequence of (0 is that M (A) > Z<® where 



be an optimal partition 

and A^ = Aj otherwise. 
= 1. Then an immediate 



-rank A 



-rank(AW) 



and A^ = A. 

Call £ 

otherwise. If 



a "balanced cut" if min 



A 



A 



(0 



I > 12k, and an "unbalanced cut" 



> 2k/ 3 and rank [A 



> 2k/3, so 



is a balanced cut, then rank yAj 
z {t) > 2 fe /3. if ^ i s a n unbalanced cut, then call £ a "freebie" if rank [Af } \ +rank [Aj 

rank (yl^) . There can be at most k freebies, since for each one, rank (A^) < rank (A®) 
by the assumption that all columns of A are nonzero. For the other unbalanced cuts, 
> 2. 

Assume = \A®\ /2 for each balanced cut and = \A®\ - 12k for 

each unbalanced cut. Then if the goal is to minimize Z<°) Z^ 1 ), clearly the best 

strategy is to perform balanced cuts first, then unbalanced cuts until \ A^ | = 12k 2 , at which 
point we can use the k freebies. Let B be the number of balanced cuts; then 



Z (o) 



v-(t-l) _ / 2 fc / 3N \ B 2(™/ 2S - 12fc2 )/ 12fc 
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This is minimized by taking B = log 2 (^^r), in which case Z^> Z^ 1 ^ = (n/k 2 ) ( '. 

m 

A final application of my characterization is to separate orthogonal from manifestly 
orthogonal tree size. 

Corollary 97 There exist states with polynomially-bounded orthogonal tree size, but man- 
ifestly orthogonal tree size n n ^ & n \ Thus OTree 7^ MOTree. 

Proof. Set k = 41og 2 n, and let C = {x : Ax = 0} where A is drawn uniformly at 
random from Z* xn . Then by Theorem [M 

MOTS(|C» = (n/k 2 ) n(k) = n n ( lo s") 

with probability O (1) over A. On the other hand, if we view \C) in the Fourier basis (that 
is, apply a Hadamard to every qubit), then the resulting state has only 2 k = n 16 basis states 
with nonzero amplitude, and hence has orthogonal tree size at most n 17 . So by Proposition 
EH part (i), OTS (|C» < 2ra 17 as well. ■ 

Indeed, the orthogonal tree states of Corollary |U7| are superpositions over polyno- 
mially many separable states, so it also follows that Z2 MOTree. 



13.7 Computing With Tree States 

Suppose a quantum computer is restricted to being in a tree state at all times. (We can 
imagine that if the tree size ever exceeds some polynomial bound, the quantum computer 
explodes, destroying our laboratory.) Does the computer then have an efficient classical 
simulation? In other words, letting TreeBQP be the class of languages accepted by such a 
machine, does TreeBQP = BPP? A positive answer would make tree states more attractive 
as a Sure/Shor separator. For once we admit any states incompatible with the polynomial- 
time Church- Turing thesis, it seems like we might as well go all the way, and admit all 
states preparable by polynomial-size quantum circuits! The TreeBQP versus BPP problem is 
closely related to the problem of finding an efficient (classical) algorithm to learn multilinear 
formulas. In light of Raz's lower bound, and of the connection between lower bounds and 
learning noticed by Linial, Mansour, and Nisan |166j . the latter problem might be less 
hopeless than it looks. In this section I show a weaker result: that TreeBQP is contained in 
Z3 n rig , the third level of the polynomial hierarchy. Since BQP is not known to lie in PH, 
this result could be taken as weak evidence that TreeBQP 7^ BQP. (On the other hand, we 
do not yet have oracle evidence even for BQP (£_ AM, though not for lack of trying 5 .) 

Definition 98 TreeBQP is the class of languages accepted by a BQP machine subject to 
the constraint that at every time step t, the machine's state is exponentially close to 

a tree state. More formally, the initial state is I^W) = \Q^^ n )~ n > (g (f or an input 
x £ {0, l} n and polynomial bound p), and a uniform classical polynomial-time algorithm 
generates a sequence of gates , . . . , g(p( n >) . Each can be either be selected from 
some finite universal basis of unitary gates (as will be shown in Theorem \99\. part (i), the 
choice of gate set does not matter), or can be a 1- qubit measurement. When we perform a 
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measurement, the state evolves to one of two possible pure states, with the usual probabilities, 
rather than to a mixed state. We require that the final gate 

g (,p(n)) is a 

measurement of 

the first qubit. If at least one intermediate state had TS 1 i 2 a(n) (IV^)) > p(n), then 

the outcome of the final measurement is chosen adversarially; otherwise it is given by the 
usual Born probabilities. The measurement must return 1 with probability at least 2/3 if 
the input is in the language, and with probability at most 1/3 otherwise. 

Some comments on the definition: I allow to deviate from a tree state by 

an exponentially small amount, in order to make the model independent of the choice of 
gate set. I allow intermediate measurements because otherwise it is unclear even how to 
simulate BPP. 8 The rule for measurements follows the "Copenhagen interpretation," in 
the sense that if a qubit is measured to be 1, then subsequent computation is not affected 
by what would have happened were the qubit measured to be 0. In particular, if measuring 
would have led to states of tree size greater than p (n) , that does not invalidate the results 
of the path where 1 is measured. 

The following theorem shows that TreeBQP has many of the properties one would 
want it to have. 

Theorem 99 

(i) The definition of TreeBQP is invariant under the choice of gate set. 

(ii) The probabilities (1/3,2/3) can be replaced by any (p, 1 — p) with 2~ 2x/1 ° sn < p < 1/2. 
(Hi) BPP C TreeBQP C BQP. 

Proof. 

(i) The Solovay-Kitaev Theorem L 153 ( 182 shows that given a universal gate set, one can 
approximate any fc-qubit unitary to accuracy \je using k qubits and a circuit of size 
O (polylog (1/e)). So let |^°)) , . . . , |^(p(»))) £ H® p(n) be a sequence of states, with 
|^(*)\ produced from by applying a A;-qubit unitary (where k = O(l)). 
Then using a polynomial-size circuit, one can approximate each |^>'*') to accuracy 
l/2^( n ), as in the definition of TreeBQP. Furthermore, since the approximation 
circuit for acts only on k qubits, any intermediate state \(p) it produces satisfies 
TS 1/2 n(n) (\<p)) < k4 k TS 1/2 n ( „) (|V> ( * _1) }) by Proposition EU 

(ii) To amplify to a constant probability, run k copies of the computation in tensor prod- 
uct, then output the majority answer. By part (i), outputting the majority can 
increase the tree size by a factor of at most 2 k+1 . To amplify to 2~ 2 ^ logn , observe 
that the Boolean majority function on k bits has a multilinear formula of size fc°( lo s fc ). 
For let Tfc (xi, . . . , x&) equal 1 if x\ + ■ ■ ■ + xj~ > h and otherwise; then 

h 

T£ (xi, . . . , x k ) = 1 - H (l - T[ km (xi, . . . , x L fc/2j) (x Lfc/2 j+i, • ■ ■ , Xfc)) , 
i=0 

8 If we try to simulate BPP in the standard way, we might produce complicated entanglement between 
the computation register and the register containing the random bits, and no longer have a tree state. 
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so MFS (Tj}) < 2h maxj MFS flj'j^i 1 + 0(1), and solving this recurrence yields 



MFS (T fc fc/2 j = A;°( lo s fc ). Substituting k = 2v /I °s™ into /t°( lo § fc ) yields n°W, meaning 
the tree size increases by at most a polynomial factor. 

(iii) To simulate BPP, just perform a classical reversible computation, applying a Hadamard 
followed by a measurement to some qubit whenever we need a random bit. Since the 
number of basis states with nonzero amplitude is at most 2, the simulation is clearly 
in TreeBQP. The other containment is obvious. 



Theorem 100 TreeBQP C n 



Proof. Since TreeBQP is closed under complement, it suffices to show that 
TreeBQP C rig . Our proof will combine approximate counting with a predicate to verify 
the correctness of a TreeBQP computation. Let C be a uniformly-generated quantum cir- 
cuit, and let M 



m 



(i) 



, m 



(p(n)) 



) be a sequence of binary measurement outcomes. We 
adopt the convention that after making a measurement, the state vector is not rescaled to 
have norm 1. 
sum to 1. Let 



hat way the probabilities across all 'measurement branches' continue to 
be the sequence of unnormalized pure states under 



W; (0) 



measurement outcome sequence M and input x, where 



Also, let A (M, x) express that TS X / 2 n(n) 



^M,x 



VM,x 



: Z^ e {o,l}P( n > a y,M,x \V)- 

< p (n) for every t. Then C accepts if 



E 



E 

M:A(M,x) j,g{o,l}i'W- 1 



a 



(p(n)) 
ly,M,x 



2 2 



o 



(p(n)) 



efficiently (as well as 
This follows 



while C rejects if W x < 1/3. If we could compute each 

A (M, x)), we would then have a predicate expressing that W x > 2/3 
since we can do approximate counting via hashing in AM C j!31j . and thereby verify 
that an exponentially large sum of nonnegative terms is at least 2/3, rather than at most 
1/3. The one further fact we need is that in our (V3) predicate, we can take the 
existential quantifier to range over tuples of 'candidate solutions' — that is, (M, y) pairs 

together with lower bounds (3 on 



a 



(p(n)) 
ly,M,x 



It remains only to show how we verify that A (M, x) holds and that 



a 



(p(n)) 
ly,M,x 



First, we extend the existential quantifier so that it guesses not only M and y, but also a 



sequence of trees rC) rW")), representing 



(o) 

M,x /'•••' 



using the last universal quantifier to range over y G {0, l} p ^ n \ 
(1) r(°) is a fixed tree representing |o) 0(p(n)_n) ® \x). 



respectively. Second, 
we verify the following: 



(2) 



a 



(p(n)) 
ly,M,x 



equals its claimed value to 17 (n) bits of precision. 
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(3) Let . . . , g(p( n )) be the gates applied by C . Then for all t and y, if is unitary 
then ol^ m x = (y\ -g® ip^ to Q (n) bits of precision. Here the right-hand side is a 

sum of 2 k terms (k being the number of qubits acted on by g^), each term efficiently 
computable given T^'™ 1 ). Similarly, if is a measurement of the i th qubit, then 
a $ M x = a ^ m\ ^ ^he 2 th bit of y equals , while a^ M x = otherwise. 



In the proof of Theorem I1UU1 the only fact about tree states I needed was that 
Tree C AmpP; that is, there is a polynomial-time classical algorithm that computes the 
amplitude a x of any basis state \x). So if we define AmpP-BQP analogously to TreeBQP 
except that any states in AmpP are allowed, then AmpP-BQP C Zg n fig as well. 



13.8 The Experimental Situation 

The results of this chapter suggest an obvious challenge for experimenters: prepare non-tree 
states in the lab. For were this challenge met, it would rule out one way in which quantum 
mechanics could fail, just as the Bell inequality experiments of Aspect et al. jSZj did twenty 
years ago. If they wished, quantum computing skeptics could then propose a new candidate 
Sure/Shor separator, and experimenters could try to rule out that one, and so on. The 
result would be to divide the question of whether quantum computing is possible into a 
series of smaller questions about which states can be prepared. In my view, this would aid 
progress in two ways: by helping experimenters set clear goals, and by forcing theorists to 
state clear conjectures. 

However, my experimental challenge raises some immediate questions. In particu- 
lar, what would it mean to prepare a non-tree state? How would we know if we succeeded? 
Also, have non-tree states already been prepared (or observed)? The purpose of this section 
is to set out my thoughts about these questions. 

First of all, when discussing experiments, it goes without saying that we must 
convert asymptotic statements into statements about specific values of n. The central 
tenet of computational complexity theory is that this is possible. Thus, instead of asking 
whether n-qubit states with tree size 

2 0(n) 

can be prepared, we ask whether 200-qubit states 
with tree size at least (say) 2 80 can be prepared. Even though the second question does 
not logically imply anything about the first, the second is closer to what we ultimately 
care about anyway. Admittedly, knowing that TS(|V>n)) = n n ( logn ) tells us little about 
TS (IV'ioo)) or TS (| V ; 20o)) ! especially since in Raz's paper 195], the constant in the exponent 
SI (log n) is taken to be 10~ 6 (though this can certainly be improved). Thus, proving tight 
lower bounds for small n is one of the most important problems left open by this chapter. 
In Section 113.61 1 show how to solve this problem for the case of manifestly orthogonal tree 
size. 

A second objection is that my formalism applies only to pure states, but in reality 
all states are mixed. However, there are several natural ways to extend the formalism to 
mixed states. Given a mixed state p, we could minimize tree size over all purifications of 
p, or minimize the expected tree size J2i \ a i\ 2 TS or maximum maxj TS over 

all decompositions p = J2i a i IV^) (V'il- 
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A third objection is a real quantum state might be a "soup" of free-wandering 
fermions and bosons, with no localized subsystems corresponding to qubits. How can one 
determine the tree size of such a state? The answer is that one cannot. Any complexity 
measure for particle position and momentum states would have to be quite different from the 
measures considered in this chapter. On the other hand, the states of interest for quantum 
computing usually do involve localized qubits. Indeed, even if quantum information is 
stored in particle positions, one might force each particle into two sites (corresponding to 
|0) and |1)), neither of which can be occupied by any other particle. In that case it again 
becomes meaningful to discuss tree size. 

But how do we verify that a state with large tree size was prepared? Of course, if 
is preparable by a polynomial-size quantum circuit, then assuming quantum mechanics 
is valid (and assuming our gates behave as specified), we can always test whether a given 
state \<p) is close to \ip) or not. Let U map |0)® n to \ip); then it suffices to test whether 
U^ 1 \<p) is close to |0)® n . However, in the experiments under discussion, the validity of 
quantum mechanics is the very point in question. And once we allow Nature to behave in 
arbitrary ways, a skeptic could explain any experimental result without having to invoke 
states with large tree size. 

The above fact has often been urged against me, but as it stands, it is no different 
from the fact that one could explain any astronomical observation without abandoning the 
Ptolemaic system. The issue here is not one of proof, but of accumulating observations 
that are consistent with the hypothesis of large tree size, and inconsistent with alternative 
hypotheses if we disallow special pleading. So for example, to test whether the subgroup 
state 

\s) = — Ly ix) 

was prepared, we might use CNOT gates to map \x) to \x) \v T x^ for some vector v G Z^. 
Based on our knowledge of S, we could then predict whether the qubit |t> T x) should be |0), 
|1), or an equal mixture of |0) and |1) when measured. Or we could apply Hadamard gates 
to all n qubits of \S), then perform the same test for the subgroup dual to S. In saying 
that a system is in state \S), it is not clear if we mean anything more than that it responds 
to all such tests in expected ways. Similar remarks apply to Shor states and cluster states. 

In my view, tests of the sort described above are certainly sufficient, so the inter- 
esting question is whether they are necessary, or whether weaker and more indirect tests 
would also suffice. This question rears its head when we ask whether non-tree states have 
already been observed. For as pointed out to me by Anthony Leggett, there exist systems 
studied in condensed-matter physics that are strong candidates for having superpolynomial 
tree size. An example is the magnetic salt LiHo x Yi_ x F4 studied by Ghosh et al. |124j . 
which, like the cluster states of Briegel and Raussendorf [JJ, basically consists of a lattice 
of spins subject to pairwise nearest-neighbor Hamiltonians. The main differences are that 
the salt lattice is 3-D instead of 2-D, is tetragonal instead of cubic, and is irregular in 
that not every site is occupied by a spin. Also, there are weak interactions even between 
spins that are not nearest neighbors. But none of these differences seem likely to change a 
superpolynomial tree size into a polynomial one. 
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For me, the main issues are (1) how precisely can we characterize 9 the quantum 
state of the magnetic salt, and (2) how strong the evidence is that that is the state. What 
Ghosh et al. |124j did was to calculate bulk properties of the salt, such as its magnetic 
susceptibility and specific heat, with and without taking into account the quantum en- 
tanglement generated by the nearest-neighbor Hamiltonians. They found that including 
entanglement yielded a better fit to the experimentally measured values. However, this is 
clearly a far cry from preparing a system in a state of one's choosing by applying a known 
pulse sequence, and then applying any of a vast catalog of tests to verify that the state was 
prepared. So it would be valuable to have more direct evidence that states qualitatively 
like cluster states can exist in Nature. 

In summary, the ideas of this chapter underscore the importance of current ex- 
perimental work on large, persistently entangled quantum states; but they also suggest a 
new motivation and perspective for this work. They suggest that we reexamine known 
condensed-matter systems with a new goal in mind: understanding the complexity of their 
associated quantum states. They also suggest that 2-D cluster states and random subgroup 
states are interesting in a way that 1-D spin chains and Schrodinger cat states are not. Yet 
when experimenters try to prepare states of the former type, they often see it as merely 
a stepping stone towards demonstrating error-correction or another quantum computing 
benchmark. Thus, Knill et al. ,158] prepared 10 the 5-qubit state 



/ (00000) + 1 10010) + |01001) + 1 10100) \ 
+ |01010) - |11011) - |00110) - 1 11000) 
- jlllOl) - |00011) - jllllO) - |01111) 

V - jioooi) - jonoo) - jiom) + jooioi) / 



for which MOTS (|^)) =40 from the decomposition 

= l( (|01) + |10» (|010) - |111» + (|01> - |10» (|001) - |100)) 
w > 4 V - (|00) + |11)) <g> (|011) + |110>) + (1 00) - |11)) ® (1 000) + |101>) 

and for which I conjecture TS(|?/>)) = 40 as well. However, the sole motivation of the 
experiment was to demonstrate a 5-qubit quantum error-correcting code. In my opinion, 
whether states with large tree size can be prepared is a fundamental question in its own 
right. Were that question studied directly, perhaps we could address it for larger numbers 
of qubits. 

Let me end by stressing that, in the perspective I am advocating, there is nothing 
sacrosanct about tree size as opposed to other complexity measures. This chapter concen- 
trated on tree size because it is the subject of our main results, and because it is better to 

9 By "characterize," I mean give an explicit formula for the amplitudes at a particular time t, in some 
standard basis. If a state is characterized as the ground state of a Hamiltonian, then we first need to solve 
for the amplitudes before we can prove tree size lower bounds using Raz's method. 

10 Admittedly, what they really prepared is the 'pseudo-pure' state p = e (ip\ + (1 — e) where I is the 
maximally mixed state and e fa 10 -5 . Braunstein et al. |69| have shown that, if the number of qubits n is 
less than about 14, then such states cannot be entangled. That is, there exists a representation of p as a 
mixture of pure states, each of which is separable and therefore has tree size O (n). This is a well-known 
limitation of the liquid NMR technology used by Knill et al. Thus, a key challenge is to replicate the 
successes of liquid NMR using colder qubits. 
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be specific than vague. On the other hand, Sections 113.31 113.41 and 113.61 contain numerous 
results about orthogonal tree size, manifestly orthogonal tree size, Vidal's x complexity, 
and other measures. Readers dissatisfied with all of these measures are urged to propose 
new ones, perhaps motivated directly by experiments. I see nothing wrong with having 
multiple ways to quantify the complexity of quantum states, and much wrong with having 
no ways. 

13.9 Conclusion and Open Problems 

A crucial step in quantum computing was to separate the question of whether quantum 
computers can be built from the question of what one could do with them. This separation 
allowed computer scientists to make great advances on the latter question, despite know- 
ing nothing about the former. I have argued, however, that the tools of computational 
complexity theory are relevant to both questions. The claim that large-scale quantum com- 
puting is possible in principle is really a claim that certain states can exist — that quantum 
mechanics will not break down if we try to prepare those states. Furthermore, what distin- 
guishes these states from states we have seen must be more than precision in amplitudes, or 
the number of qubits maintained coherently. The distinguishing property should instead 
be some sort of complexity. That is, Sure states should have succinct representations of a 
type that Shor states do not. 

I have tried to show that, by adopting this viewpoint, we make the debate about 
whether quantum computing is possible less ideological and more scientific. By studying 
particular examples of Sure/Shor separators, quantum computing skeptics would strengthen 
their case — for they would then have a plausible research program aimed at identifying what, 
exactly, the barriers to quantum computation are. I hope, however, that the 'complexity 
theory of quantum states' initiated here will be taken up by quantum computing proponents 
as well. This theory offers a new perspective on the transition from classical to quantum 
computing, and a new connection between quantum computing and the powerful circuit 
lower bound techniques of classical complexity theory. 

I end with some open problems. 

(1) Can Raz's technique be improved to show exponential tree size lower bounds? 

(2) Can we prove Conjecture I9U1 implying an n^( logn ) tree size lower bound for Shor 
states? 

(3) Let \(p) be a uniform superposition over all n-bit strings of Hamming weight n/2. It 
is easy to show by divide-and-conquer that TS (\<p)) = n°( lo s™). Is this upper bound 
tight? More generally, can we show a superpolynomial tree size lower bound for any 
state with permutation symmetry? 

(4) Is Tree = CTree? That is, are there tree states that are not orthogonal tree states? 

(5) Is the tensor-sum hierarchy of Section [13.21 infinite? That is, do we have ^ ^k+i 
for all k? 
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(6) Is TreeBQP = BPP? That is, can a quantum computer that is always in a tree state 
be simulated classically? The key question seems to be whether the concept class of 
multilinear formulas is efficiently learnable. 

(7) Is there a practical method to compute the tree size of, say, 10-qubit states? Such a 
method would have great value in interpreting experimental results. 
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Chapter 14 

Quantum Search of Spatial Regions 



This chapter represents joint work with Andris Ambainis. 

The goal of Grover's quantum search algorithm |139| is to search an 'unsorted 
database' of size n in a number of queries proportional to \fn. Classically, of course, order 
n queries are needed. It is sometimes asserted that, although the speedup of Grover's 
algorithm is only quadratic, this speedup is provable, in contrast to the exponential speedup 
of Shor's factoring algorithm 219 . But is that really true? Grover's algorithm is typically 
imagined as speeding up combinatorial search — and we do not know whether every problem 
in NP can be classically solved quadratically faster than the "obvious" way, any more than 
we know whether factoring is in BPP. 

But could Grover's algorithm speed up search of a physical region? Here the basic 
problem, it seems to us, is the time needed for signals to travel across the region. For if we 
are interested in the fundamental limits imposed by physics, then we should acknowledge 
that the speed of light is finite, and that a bounded region of space can store only a finite 
amount of information, according to the holographic principle [HSJ. We discuss the latter 
constraint in detail in Section fl4. 31 for now, we say only that it suggests a model in which 
a 'quantum robot' occupies a superposition over finitely many locations, and moving the 
robot from one location to an adjacent one takes unit time. In such a model, the time 
needed to search a region could depend critically on its spatial layout. For example, if the 
n entries are arranged on a line, then even to move the robot from one end to the other 
takes n — \ steps. But what if the entries are arranged on, say, a 2-dimensional square grid 
(Figure EU)? 

14.1 Summary of Results 

This chapter gives the first systematic treatment of quantum search of spatial regions, 
with 'regions' modeled as connected graphs. Our main result is positive: we show that a 
quantum robot can search a (i-dimensional hypercube with n vertices for a unique marked 
vertex in time O ^y'ralog 3 / 2 n^j when d = 2, or O (\/n) when d > 3. This matches (or in 

the case of 2 dimensions, nearly matches) the fi (y/n) lower bound for quantum search, and 
supports the view that Grover search of a physical region presents no problem of principle. 
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Robot 



4n 



4n 



Marked item 



Figure 14.1: A quantum robot, in a superposition over locations, searching for a marked 
item on a 2D grid of size yfn x sjn. 



Hypercube, 1 marked item 
Hypercube, k or more marked items 
Arbitrary graph, k or more marked items 



O ( yfn log 3//2 n 
O (^log 5/2 n 
y/n~2°(^ 



3gn I 



d> 2 




Table 14.1: Upper and lower bounds for quantum search on a ci-dimensional graph given in 
this chapter. The symbol means that the upper bound includes a polylogarithmic term. 
Note that, if d = 2, then (y/n) is always a lower bound, for any number of marked items. 



Our basic technique is divide-and-conquer; indeed, once the idea is pointed out, an upper 
bound of O (n 1//2+£ ) follows readily. However, to obtain the tighter bounds is more difficult; 
for that we use the amplitude-amplification framework of Brassard et al. |67j . 

Section 114.61 presents the main results; Section 114.6.41 shows further that, when 
there are k or more marked vertices, the search time becomes O (^y/nlog 5 ^ 2 n^j when d = 2, 

or O (y / ra/£; 1 / 2 ~ 1 / d ) when d > 3. Also, Section [14.71 generalizes our algorithm to arbitrary 
graphs that have 'hypercube-like' expansion properties. Here the best bounds we can 
achieve are y/n2°^ log n ) when d = 2, or O (y/n poly log n) when d > 2 (note that d need 
not be an integer). Table 14.1 summarizes the results. 

Section 114.81 shows, as an unexpected application of our search algorithm, that 
the quantum communication complexity of the well-known disjointness problem is O (y/n). 
This improves an O (y/nc log n ) upper bound of H0yer and de Wolf |146j . and matches the 
ft (y/n) lower bound of Razborov |199j . 

The rest of the chapter is about the formal model that underlies our results. 
Section 114.31 sets the stage for this model, by exploring the ultimate limits on information 
storage imposed by properties of space and time. This discussion serves only to motivate 
our results; thus, it can be safely skipped by readers unconcerned with the physical universe. 
In Section fl6. 71 we define quantum query algorithms on graphs, a model similar to quantum 
query algorithms as defined in Section 15.11 but with the added requirement that unitary 
operations be 'local' with respect to some graph. In Section fl 4 . 4 . 1 1 we address the difficult 
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question, which also arises in work on quantum random walks an d quantum cellular 
automata |238| . of what 'local' means. Section [14.51 proves general facts about our model, 
including an upper bound of O ys/nE\ for the time needed to search any graph with diameter 

5, and a proof (using the hybrid argument of Bennett et al. that this upper bound is 
tight for certain graphs. We conclude in Section [14.91 with some open problems. 

14.2 Related Work 

In a paper on 'Space searches with a quantum robot,' Benioff 50. asked whether Grover's 
algorithm can speed up search of a physical region, as opposed to a combinatorial search 
space. His answer was discouraging: for a 2-D grid of size \fn x y/n, Grover's algorithm 
is no faster than classical search. The reason is that, during each of the G (\/n) Grover 
iterations, the algorithm must use order -y/re steps just to travel across the grid and return 
to its starting point for the diffusion step. On the other hand, Benioff noted, Grover's 
algorithm does yield some speedup for grids of dimension 3 or higher, since those grids have 
diameter less than xfri. 

Our results show that Benioff 's claim is mistaken: by using Grover's algorithm 
more carefully, one can search a 2-D grid for a single marked vertex in O ^y / nlog 3 ^ 2 n^ 
time. To us this illustrates why one should not assume an algorithm is optimal on heuristic 
grounds. Painful experience — for example, the "obviously optimal" O (n 3 ) matrix multi- 
plication algorithm 226 — is what taught computer scientists to see the proving of lower 
bounds as more than a formality. 

Our setting is related to that of quantum random walks on graphs |191 1831 15H [216 . 
In an earlier version of this chapter, we asked whether quantum walks might yield an 
alternative spatial search algorithm, possibly even one that outperforms our divide-and- 
conquer algorithm. Motivated by this question, Childs and Goldstone [HE] managed to show 
that in the continuous-time setting, a quantum walk can search a (i-dimensional hypercube 
for a single marked vertex in time O {^/n\ogn) when d = 4, or O (\/n) when d > 5. Our 
algorithm was still faster in 3 or fewer dimensions (see Table 14.2). Subsequently, however, 
Ambainis, Kempe, and Rivosh gave an algorithm based on a discrete-time quantum 
walk, which was as fast as ours in 3 or more dimensions, and faster in 2 dimensions. In 
particular, when d = 2 their algorithm used only O (i/nlogn) time to find a unique marked 
vertex. Childs and Goldstone [HS] then gave a continuous-time quantum walk algorithm 
with the same performance, and related this algorithm to properties of the Dirac equation. 
It is still open whether O (y/n) time is achievable in 2 dimensions. 

Currently, the main drawback of the quantum walk approach is that all analyses 
have relied heavily on symmetries in the underlying graph. If even minor 'defects' are 
introduced, it is no longer known how to upper-bound the running time. By contrast, 
the analysis of our divide-and-conquer algorithm is elementary, and does not depend on 
eigenvalue bounds. We can therefore show that the algorithm works for any graphs with 
sufficiently good expansion properties. 

Childs and Goldstone (HO] argued that the quantum walk approach has the advan- 
tage of requiring fewer auxiliary qubits than the divide-and-conquer approach. However, 
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d = 2 


d = 3 


d = 4 


d > 5 


This chapter 


(^/nlog 3/2 nj 


0{y/n) 


0(y/n) 




[Ml 


0(n) 


(n 5 / 6 ) 


{^/n\og n) 






(y/nlogn) 




O(Vn) 





Table 14.2: Time needed to find a unique marked item in a (i-dimensional hypercube, using 
the divide-and-conquer algorithms of this chapter, the original quantum walk algorithm of 
Childs and Goldstone jSHj, and the improved walk algorithms of Ambainis, Kempe, and 
Rivosh [HJ and Childs and Goldstone 85 . 

the need for many qubits was an artifact of how we implemented the algorithm in a previous 
version of the chapter. The current version uses only one qubit. 

14.3 The Physics of Databases 

Theoretical computer science generally deals with the limit as some resource (such as time or 
memory) increases to infinity. What is not always appreciated is that, as the resource bound 
increases, physical constraints may come into play that were negligible at 'sub-asymptotic' 
scales. We believe theoretical computer scientists ought to know something about such 
constraints, and to account for them when possible. For if the constraints are ignored on 
the ground that they "never matter in practice," then the obvious question arises: why use 
asymptotic analysis in the first place, rather than restricting attention to those instance 
sizes that occur in practice? 

A constraint of particular interest for us is the holographic principle |65j . which 
arose from black-hole thermodynamics. The principle states that the information content 
of any spatial region is upper-bounded by its surface area (not volume), at a rate of one 
bit per Planck area, or about 1.4 x 10 69 bits per square meter. Intuitively, if one tried to 
build a spherical hard disk with mass density v, one could not keep expanding it forever. 
For as soon as the radius reached the Schwarzschild bound of r = y/3/ (8irv) (in Planck 
units, c = G = h = k = l), the hard disk would collapse to form a black hole, and thus its 
contents would be irretrievable. 

Actually the situation is worse than that: even a planar hard disk of constant 
mass density would collapse to form a black hole once its radius became sufficiently large, 
r = (1/v). (We assume here that the hard disk is disc-shaped. A linear or 1-D hard 
disk could expand indefinitely without collapse.) It is possible, though, that a hard disk's 
information content could asymptotically exceed its mass. For example, a black hole's 
mass is proportional to the radius of its event horizon, but the entropy is proportional to 
the square of the radius (that is, to the surface area). Admittedly, inherent difficulties with 
storage and retrieval make a black hole horizon less than ideal as a hard disk. However, 
even a weakly-gravitating system could store information at a rate asymptotically exceeding 
its mass-energy. For instance, Bousso |65| shows that an enclosed ball of radiation with 
radius r can store n = O (r 3 / 2 ) bits, even though its energy grows only as r. Our results in 
Section Ii4.7. II will imply that a quantum robot could (in principle!) search such a 'radiation 
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disk' for a marked item in time O (r 5//4 ) = O (n 5 / 6 ) . This is some improvement over the 
trivial O (n) upper bound for a 1-D hard disk, though it falls short of the desired O (\/n)- 
In general, if n = r c bits are scattered throughout a 3-D ball of radius r (where 
c < 3 and the bits' locations are known), we will show in Theorem I13UI that the time 
needed to search for a '1' bit grows as n 1 /*^ 1 / 6 = r 1+c / 6 (omitting logarithmic factors). In 
particular, if n = O (r 2 ) (saturating the holographic bound), then the time grows as n 2 / 3 or 
r 4 / 3 . To achieve a search time of O (y^polylog n), the bits would need to be concentrated 
on a 2-D surface. 

Because of the holographic principle, we see that it is not only quantum mechanics 
that yields a Q (y/n) lower bound on the number of steps needed for unordered search. If 
the items to be searched are laid out spatially, then general relativity in 3 + 1 dimensions 
independently yields the same bound, Q(\/n), up to a constant factor. 1 Interestingly, in 
d+1 dimensions the relativity bound would be f2 (n 1 /^ -1 )), which for d > 3 is weaker than 
the quantum mechanics bound. Given that our two fundamental theories yield the same 
lower bound, it is natural to ask whether that bound is tight. The answer seems to be that 
it is not tight, since (i) the entropy on a black hole horizon is not efficiently accessible 2 , and 
(ii) weakly-gravitating systems are subject to the Bekenstein bound [IS], an even stronger 
entropy constraint than the holographic bound. 

Yet it is still of basic interest to know whether n bits in a radius-r ball can be 
searched in time o (min {n, r^/n}) — that is, whether it is possible to do anything better 
than either brute- force quantum search (with the drawback pointed out by Benioff 50]), or 
classical search. Our results show that it is possible. 

From a physical point of view, several questions naturally arise: (1) whether our 
complexity measure is realistic; (2) how to account for time dilation; and (3) whether given 
the number of bits we are imagining, cosmological bounds are also relevant. Let us address 
these questions in turn. 

(1) One could argue that to maintain a 'quantum database' of size n requires n 
computing elements ( |251j . though see also [206 ) . So why not just exploit those elements 
to search the database in parallel? Then it becomes trivial to show that the search time is 
limited only by the radius of the database, so the algorithms of this chapter are unnecessary. 
Our response is that, while there might be n 'passive' computing elements (capable of storing 
data), there might be many fewer 'active' elements, which we consequently wish to place in 
a superposition over locations. This assumption seems physically unobjectionable. For a 
particle (and indeed any object) really does have an indeterminate location, not merely an 
indeterminate internal state (such as spin) at some location. We leave as an open problem, 
however, whether our assumption is valid for specific quantum computer architectures such 
as ion traps. 

(2) So long as we invoke general relativity, should we not also consider the effects 
of time dilation? Those effects are indeed pronounced near a black hole horizon. Again, 
though, for our upper bounds we will have in mind systems far from the Schwarzschild 

Admittedly, the holographic principle is part of quantum gravity and not general relativity per se. 
All that matters for us, though, is that the principle seems logically independent of quantum-mechanical 
linearity, which is what produces the "other" £1 (\/n) bound. 

2 In the case of a black hole horizon, waiting for the bits to be emitted as Hawking radiation — as recent 
evidence suggests that they are |2()9) — takes time proportional to r 3 , which is much too long. 
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limit, for which any time dilation is by at most a constant factor independent of n. 

(3) How do cosmological considerations affect our analysis? Bousso |64] argues 
that, in a spacetime with positive cosmological constant A > 0, the total number of bits 
accessible to any one experiment is at most 37r/(Aln2), or roughly 10 122 given current 
experimental bounds 208 on A. 3 Intuitively, even if the universe is spatially infinite, most 
of it recedes too quickly from any one observer to be harnessed as computer memory. 

One response to this result is to assume an idealization in which A vanishes, 
although Planck's constant h does not vanish. As justification, one could argue that without 
the idealization A = 0, all asymptotic bounds in computer science are basically fictions. 
But perhaps a better response is to accept the 3tt/ (A In 2) bound, and then ask how close 
one can come to saturating it in different scenarios. Classically, the maximum number 
of bits that can be searched is, in a crude model 4 , actually proportional to 1/vA ~ 10 61 
rather than 1/A. The reason is that if a region had much more than l/\/A bits, then 
after 1/y/X Planck times — that is, about 10 10 years, or roughly the current age of the 
universe — most of the region would have receded beyond one's cosmological horizon. What 
our results suggest is that, using a quantum robot, one could come closer to saturating the 
cosmological bound — since, for example, a 2-D region of size 1/A can be searched in time 

O poly log -^=^ . How anyone could prepare (say) a database of size much greater than 
l/VX remains unclear, but if such a database existed, it could be searched! 

14.4 The Model 

As discussed in Part [IJ much of what is known about the power of quantum computing 
comes from the black-box or query model — in which one counts only the number of queries 
to an oracle, not the number of computational steps. We will take this model as the 
starting point for a formal definition of quantum robots. Doing so will focus attention 
on our main concern: how much harder is it to evaluate a function when its inputs are 
spatially separated? As it turns out, all of our algorithms will be efficient as measured by 
the number of gates and auxiliary qubits needed to implement them. 

For simplicity, we assume that a robot's goal is to evaluate a Boolean function 
/ : {0, l} n — ► {0,1}, which could be partial or total. A 'region of space' is a connected 
undirected graph G = (V 7 , E) with vertices V = {i>i, . . . , v n }. Let X = x\ . . . x n € {0, l} n 
be an input to /; then each bit Xi is available only at vertex V{. We assume the robot 
knows G and the vertex labels in advance, and so is ignorant only of the Xi bits. We thus 
sidestep a major difficulty for quantum walks which is how to ensure that a process 
on an unknown graph is unitary. 

3 Also, Lloyd |17U| argues that the total number of bits accessible up till now is at most the square of the 
number of Planck times elapsed so far, or about (lO 61 ) = 10 122 . Lloyd's bound, unlike Bousso's, does not 
depend on A being positive. The numerical coincidence between the two bounds reflects the experimental 
finding 208 207 that we live in a transitional era, when both A and "dust" contribute significantly to the 
universe's net energy balance (Qa ~ 0.7, fidust ~ 0.3). In earlier times dust (and before that radiation) 
dominated, and Lloyd's bound was tighter. In later times A will dominate, and Bousso's bound will be 
tighter. Why we should live in such a transitional era is unknown. 

Specifically, neglecting gravity and other forces that could counteract the effect of A. 
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At any time, the robot's state has the form 

^ a i,z \vi,z) . 

Here Vi £ V is a vertex, representing the robot's location; and z is a bit string (which can 
be arbitrarily long), representing the robot's internal configuration. The state evolves via 
an alternating sequence of T algorithm steps and T oracle steps: 

n w ^ « -> u<» - . . . - - o( T ). 

An oracle step maps each basis state to | }, where is exclusive-OR'ed 

into the first bit of z. An algorithm step LA*' can be any unitary matrix that (1) does not 
depend on X, and (2) acts 'locally' on G. How to make the second condition precise is the 
subject of Section IT4.4. II 

The initial state of the algorithm is \v±, 0). Let a\ \ (X) be the amplitude of \vi, z) 
immediately after the t th oracle step; then the algorithm succeeds with probability 1 — e if 

2 



E 4? w 

K>*> = zouT=f{X) 



> 1 



for all inputs X, where £ot/T is a bit of z representing the output. 



14.4.1 Locality Criteria 

Classically, it is easy to decide whether a stochastic matrix acts locally with respect to a 
graph G: it does if it moves probability only along the edges of G. In the quantum case, 
however, interference makes the question much more subtle. In this section we propose 
three criteria for whether a unitary matrix U is local. Our algorithms can be implemented 
using the most restrictive of these criteria, whereas our lower bounds apply to all three of 
them. 

The first criterion we call Z-locality (for zero): U is Z-local if, given any pair of 
non-neighboring vertices v±,V2 in G, U "sends no amplitude" from v% to t^; that is, the 
corresponding entries in U are all 0. The second criterion, C-locality (for composability) , 
says that this is not enough: not only must U send amplitude only between neighboring 
vertices, but it must be composed of a product of commuting unitaries, each of which acts 
on a single edge. The third criterion is perhaps the most natural one to a physicist: U 
is H-local (for Hamiltonian) if it can be obtained by applying a locally-acting, low-energy 
Hamiltonian for some fixed amount of time. More formally, let Ui )Z —,i* )Z * be the entry in 
the \vi,z) column and \vi*,z*) row of U. 

Definition 101 U is Z-local if Ui, z ^%* ,z* = whenever i ^ i* and (vi,Vi*) is not an edge 
ofG. 

Definition 102 U is C-local if the basis states can be partitioned into subsets Pi,...,P q 
such that 

(i) Ui tZ ^i* )Z * = whenever \vi,z) and \vi*,z*) belong to distinct Pj's, and 
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(ii) for each j, all basis states in Pj are either from the same vertex or from two adjacent 
vertices. 

Definition 103 U is H-local ifU = e iH for some Hermitian H with eigenvalues of absolute 
value at most it, such that Hi^ z _i* tZ * = whenever i ^ i* and (vi,Vi*) is not an edge in E. 

If a unitary matrix is C-local, then it is also Z-local and H-local. For the latter 
implication, note that any unitary U can be written as e tH for some H with eigenvalues of 
absolute value at most it. So we can write the unitary Uj acting on each Pj as e lHj ; then 
since the Ufs commute, 

Beyond that, though, how are the locality criteria related? Are they approximately equiva- 
lent? If not, then does a problem's complexity in our model ever depend on which criterion 
is chosen? Let us emphasize that these questions are not answered by, for example, the 
Solovay-Kitaev theorem (see |182j ). that annxn unitary matrix can be approximated using 
a number of gates polynomial in n. For recall that the definition of C-locality requires the 
edgewise operations to commute — indeed, without that requirement, one could produce any 
unitary matrix at all. So the relevant question, which we leave open, is whether any Z-local 
or H-local unitary can be approximated by a product of, say, O (log n) C-local unitaries. 
(A product of O (n) such unitaries trivially suffices, but that is far too many.) Again, the 
algorithms in this chapter will use C-local unitaries, whereas the lower bounds will apply 
even to Z-local and H-local unitaries. 

14.5 General Bounds 

Given a Boolean function / : {0, l} n — > {0,1}, the quantum query complexity Q (/) is 
the minimum T for which there exists a T-query quantum algorithm that evaluates / 
with probability at least 2/3 on all inputs. (We will always be interested in the two-sided, 
bounded-error complexity, denoted Q2 (/) elsewhere in this thesis.) Similarly, given a graph 
G with n vertices labeled 1, . . . , n, we let Q (/, G) be the minimum T for which there exists 
a T-query quantum robot on G that evaluates / with probability 2/3. Here the algorithm 
steps must be C-local; we use Q z (/, G) and Q H (/, G) to denote the corresponding measure 
with Z-local and H-local steps respectively. Clearly Q (/, G) > Q z (/, G) and Q (/, G) > 
Q H (/, G); we do not know whether all three measures are asymptotically equivalent. 

Let 8q be the diameter of G, and call / nondegenerate if it depends on all n input 

bits. 

Proposition 104 For all f, G, 

(i) Q(f,G) <2n-3. 

(ii) Q(f,G)<(25 G + l)Q(f). 
(Hi) Q(f,G)>Q(f). 

(iv) Q(f,G) > Sq/2 if f is nondegenerate. 
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Proof. 

(i) Starting from the root, a spanning tree for G can be traversed in 2 (n — 1) — 1 steps 
(there is no need to return to the root). 

(ii) We can simulate a query in 25q steps, by fanning out from the start vertex v\ and 
then returning. Applying a unitary at v\ takes 1 step. 

(iii) Obvious. 

(iv) There exists a vertex Vi whose distance to v\ is at least 5g/2, and / could depend on 

X{. 

■ 

We now show that the model is robust. 

Proposition 105 For nondegenerate f, the following change Q (/, G) by at most a constant 
factor. 

(i) Replacing the initial state |«i,0) by an arbitrary (known) \tp). 

(ii) Requiring the final state to be localized at some vertex Vi with probability at least 1 — e, 
for a constant e > 0. 

(iii) Allowing multiple algorithm steps between each oracle step (and measuring the com- 
plexity by the number of algorithm steps). 

Proof. 

(i) We can transform \vi,0) to \tp) (and hence to |fi,0)) in 5q = 0(Q(f,G)) steps, 
by fanning out from v± along the edges of a minimum-height spanning tree. 

(ii) Assume without loss of generality that zout is accessed only once, to write the output. 
Then after zout is accessed, uncompute (that is, run the algorithm backwards) to 
localize the final state at v\. The state can then be localized at any V{ in 5g = 
O (Q (/, G)) steps. We can succeed with any constant probability by repeating this 
procedure a constant number of times. 

(iii) The oracle step O is its own inverse, so we can implement a sequence Ui, U2, ■ ■ ■ of 
algorithm steps as follows (where / is the identity): 

Ui^ O ^ I ^ o ^U 2 ^ ■■■ 



A function of particular interest is / = OR(xi, . . . ,x n ), which outputs 1 if and 
only if Xi = 1 for some i. We first give a general upper bound on Q (OR, G) in terms of 
the diameter of G. (Throughout the chapter, we sometimes omit floor and ceiling signs if 
they clearly have no effect on the asymptotics.) 
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Figure 14.2: The 'starfish' graph G. The marked item is at one of the tip vertices. 



Proposition 106 

Q(OR,G) =o(v^fc). 

Proof. Let r be a minimum-height spanning tree for G, rooted at vi. A depth- 
first search on r uses 2n — 2 steps. Let Si be the set of vertices visited by depth-first search 
in steps 1 to Sq, 5*2 be those visited in steps 5g + 1 to 25q, and so on. Then 

Si u • • • u s 2n/SG = v. 

Furthermore, for each Sj there is a classical algorithm Aj, using at most 35g steps, that 
starts at v±, ends at vi, and outputs '1' if and only if x% = 1 for some Vi £ Sj. Then we 
simply perform Grover search at v\ over all Aj] since each iteration takes O (5g) steps and 

there are O i^j2nj t Sg\ iterations, the number of steps is O [y/nSo)- ■ 
The bound of Proposition I1U6I is tight: 

Theorem 107 For all 5, there exists a graph G with diameter 5g = 8 such that 

Q (OR, G)=ft (V^tj . 

Indeed, Q z (/, G) and Q H (/, G) are also Q, (^Vn^j . 

Proof. For simplicity, we first consider the C-local and Z-local cases, and then 
discuss what changes in the H-local case. Let G be a 'starfish' with central vertex v\ and 
M = 2 (n — 1) /8 legs L\, . . . ,Lm, each of length 5/2 (see Figure rHO|) . We use the hybrid 
argument of Bennett et al. [HJ- Suppose we run the algorithm on the all-zero input Xq. 
Then define the query magnitude Fj to be the probability of finding the robot in leg Lj 
immediately after the t th query: 

r ? } = E ERIN 2 - 
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Let T be the total number of queries, and let w = Tj (cS) for some constant < c < 1/2. 
Clearly 



w-1 M 



w—l 



££lf--><£l 

q=0 j=l q=0 



W. 



Hence there must exist a leg Lj* such that 

w—l 



< W 



Wt 



q=0 



M 2(n-l)' 



Let Vi* be the tip vertex of Lj* , and let Y be the input which is 1 at vi* and elsewhere. 
Then let X q be a hybrid input, which is Xq during queries 1 to T — qc5, but Y during 
queries T — qc5 + 1 to T. Also, let 

(*) 



be the algorithm's state after t queries when run on X q , and let 



D(q,r) = \\\i,m(X,))-\i,m(X r )) 



Then for all g > 1, we claim that D (q — l,q) < 4T^ qcS \ For by unitarity, the Euclidean 
distance between \ip^ and ItpO (X q )} can only increase as a result of queries T — 

qc5 + 1 through T — (q — 1) c5. But no amplitude from outside Lj* can reach Wj* during 
that interval, since the distance is 8/2 and there are only c8 < 8/2 time steps. Therefore, 
switching from to X q can only affect amplitude that is in Lj* immediately after query 
T-qc5: 



(T-qcS) , Y , 



D(q-l,q)< E| a 

ViGLj* z 



-a 



(T-gc5) 



TO 



(*0 



ViGLj* 2 



4r (T-gc«^ 



It follows that 



2(n-l) c\/(5(n-l) 



Here the first inequality uses the triangle inequality, and the third uses the Cauchy-Schwarz 
inequality. Now assuming the algorithm is correct we need D (0, w) = (1), which implies 

that T = n (y/njfy . 
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In the H-local case, it is no longer true that no amplitude from outside Lj* can 
reach Vi* in cS time steps. But if c is a small enough constant, then the amount of 
amplitude that can reach decreases exponentially in 5. To see this, assume without 
loss of generality that all amplitude not in Lj* starts in the state \vo,ip), where is some 
superposition over auxiliary qubits. Let H be the local Hamiltonian that acts between the 
t th and (t + l) st queries, all of whose eigenvalues have absolute value at most it. Since H 
is Hermitian, we can decompose it as VAV^ 1 where V is unitary and A is diagonal. So by 
Taylor series expansion, 



JH 



i>o 



Now let S be the set of basis states \vb,Zb) such that the distance from vq to v b is £, for 
some £ > Air. Notice that for all j < £ and \v b , Zb) € S, we have 

(v b ,z b \ H 3 \v ,ip) = {v b ,z b \ VA 3 V~ l |v ,V>) = 



by the locality of H. Therefore 



\(v b ,z b \e iH \v ,ip)\ 2 

\v b ,z b )es 



E 

\v b ,z b )es 




^2^(vb,z b \V^V- l \v ,^) 
j>e J ' 



(vb^blVAiV-^vo,^) 



Here the second line uses the triangle inequality, the third line uses the fact that VA^V~ 1 has 
maximum eigenvalue at most 7r? (and therefore {iP /j!) VA J 'V -1 has maximum eigenvalue at 
most n 3 and the fourth line uses the fact that £ > 4ir. Intuitively, the probability that 
H sends the robot a distance £ from vq is at most 4ir e /£l, which decreases exponentially in 
£. One can now use a Chernoff-Hoeffding bound to upper-bound the probability that cd 
local Hamiltonians, applied in succession, ever move the robot a distance 5/2 from vq. It 
is clear that the resulting upper bound is 2 -n ^ for small enough c. Therefore 

D{q-l,q)<AT%- qcS) + 2-^ 



and the remainder of the proof goes through as before. 



14.6 Search on Grids 



Let Cd (n) be a ci-dimensional grid graph of size n l / d x • • • x n l / d . That is, each vertex 
is specified by d coordinates i\, G {l, . . . , n 1 /^}, and is connected to the at most 2d 
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vertices obtainable by adding or subtracting 1 from a single coordinate (boundary vertices 
have fewer than 2d neighbors). We write simply Cd when n is clear from context. In 
this section we present our main positive results: that Q (OR, Cd) = O (y/n) for d > 3, and 
Q(OR,£ 2 ) = O(V^polylogn) for d = 2. 

Before proving these claims, let us develop some intuition by showing weaker 
bounds, taking the case d = 2 for illustration. Clearly Q (OR, £2) = O (n 3//4 ): we simply 
partition £2 (n) into y/n subsquares, each a copy of £2 (y/n). In 5 y/n steps, the robot can 
travel from the start vertex to any subsquare C, search C classically for a marked vertex, 
and then return to the start vertex. Thus, by searching all y/n of the C's in superposition 
and applying Grover's algorithm, the robot can search the grid in time O (n 1 / 4 ) x 5 y/n = 
(){„• 4 ). 

Once we know that, we might as well partition £2 (n) into ra 1 / 3 subsquares, each a 
copy of £2 (n 2 / 3 ) . Searching any one of these subsquares by the previous algorithm takes 

time O ^(ra 2 / 3 ) 3 ^ = O (y/n), an amount of time that also suffices to travel to the subsquare 

and back from the start vertex. So using Grover's algorithm, the robot can search £ 2 (n) in 

time O (y/n 1 / 3 ■ y/nj = O (n 2 / 3 ) . We can continue recursively in this manner to make the 

running time approach O (y/n). The trouble is that, with each additional layer of recursion, 
the robot needs to repeat the search more often to upper-bound the error probability. Using 
this approach, the best bounds we could obtain are roughly O (y^polylog n) for d > 3, or 
y / n2°^ logn ) for d = 2. In what follows, we use the amplitude amplification approach 
of Brassard et al. jHZ] to improve these bounds, in the case of a single marked vertex, to 
O (y/n) for d > 3 (Section jl| and O (^log 3/2 n\ for d = 2 (Section MEM - Section 
114.6.41 generalizes these results to the case of multiple marked vertices. 

Intuitively, the reason the case d = 2 is special is that there, the diameter of the 
grid is O (y/n), which matches exactly the time needed for Grover search. For d > 3, by 
contrast, the robot can travel across the grid in much less time than is needed to search it. 

14.6.1 Amplitude Amplification 

We start by describing amplitude amplification |67| . a generalization of Grover search. Let 
A be a quantum algorithm that, with probability e, outputs a correct answer together with 
a witness that proves the answer correct. (For example, in the case of search, the algorithm 
outputs a vertex label i such that X{ = 1.) Amplification generates a new algorithm that 
calls A order 1/y/e times, and that produces both a correct answer and a witness with 
probability $7 (1). In particular, assume A starts in basis state |s), and let m be a positive 
integer. Then the amplification procedure works as follows: 

(1) Set \iM=A\s). 

(2) For i = 1 to m set = ASA~ l W where 

• W flips the phase of basis state \y) if and only if \y) contains a description of a 
correct witness, and 

• S flips the phase of basis state \y) if and only if \y) = \s). 
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We can decompose |V>o) as sin a l^succ) + cos a l^faii), where I'I'succ) is a superpo- 
sition over basis states containing a correct witness and l^faii) is a superposition over all 
other basis states. Brassard et al. |f)7| showed the following: 

Lemma 108 ((57]) |^) = sin [(2i + 1) a] |* 8UCC ) + cos [(2* + 1) a] \*m)- 

If measuring |^o) gives a correct witness with probability e, then |sina| 2 = e and 
| et | > 1/y/e. So taking m = 0(l/i/e) yields sin [(2m + 1) a] ~ 1. For our algorithms, 
though, the multiplicative constant under the big-0 also matters. To upper-bound this 
constant, we prove the following lemma. 

Lemma 109 Suppose a quantum algorithm A outputs a correct answer and witness with 
probability exactly e. Then by using 2m + 1 calls to A or A^ 1 , where 

vr 1 

m - ~a : — r ~ o' 

4 arcsm ye 2 

we can output a correct answer and witness with probability at least 

( (2m+l) 2 \ , n2 
( 1 - Y^ e ) (2^ + l) 2 e- 

Proof. We perform m steps of amplitude amplification, which requires 2m + 1 
calls A or A~ l . By Lemma ll()81 this yields the final state 

sin [(2m + 1) a] |1w) + cos [(2m + 1) a] \V m ) . 

where a = arcsin y/e. Therefore the success probability is 

sin [(2m + 1) arcsin y/e\ > sin 2 [(2m + 1) Ve\ 

>(2 m + 1 )^- ' 2 '" +1 » 4 A 
o 

Here the first line uses the monotonicity of sin 2 x in the interval [0, 7r/2], and the second 
line uses the fact that sinx > x — x 3 /6 for all x > by Taylor series expansion. ■ 

Note that there is no need to uncompute any garbage left by A, beyond the 
uncomputation that happens "automatically" within the amplification procedure. 



14.6.2 Dimension At Least 3 

Our goal is the following: 

Theorem 110 Ifd>3, then Q (OR,£ d ) 



= 0(Vn). 



176 



In this section, we prove Theorem II 101 for the special case of a unique marked 
vertex; then, in Sections 114.6.41 and 114.631 we will generalize to multiple marked vertices. 
Let OR^ be the problem of deciding whether there are no marked vertices or exactly k of 
them, given that one of these is true. Then: 

Theorem 111 Ifd>3, then Q (OR w ,C d ) = (^n). 



Choose constants (3 £ (2/3, 1) and fj, G (1/3, 1/2) such that /3u > 1/3 (for example, 
(3 = 4/5 and u = 5/11 will work). Let £q be a large positive integer; then for all positive 

integers R, let Ir = £r-i £ r _i 1 ■ Also let ur = £ R . Assume for simplicity that n = ur 
for some R; in other words, that the hypercube Ld (ur) to be searched has sides of length 
Ir. Later we will remove this assumption. 

Consider the following recursive algorithm A. If n = no, then search Cd (no) 
classically, returning 1 if a marked vertex is found and otherwise. Otherwise partition 
C>d{nR) into ur/ur^i subcubes, each one a copy of Cdi^R-i)- Take the algorithm that 
consists of picking a subcube C uniformly at random, and then running A recursively on 
C. Amplify this algorithm (n^/nR_i) M times. 

The intuition behind the exponents is that ur^i n R , so searching Cdi^R-i) 
should take about n R 2 steps, which dominates the n l R d steps needed to travel across the 
hypercube when d > 3. Also, at level R we want to amplify a number of times that 

1 /2 

is less than (ur/ur-i) ' by some polynomial amount, since full amplification would be 
inefficient. The reason for the constraint > 1/3 will appear in the analysis. 

We now provide a more explicit description of A, which shows that A can be 
implemented using C-local unitaries and only a single bit of workspace. At any time, the 
quantum robot's state will have the form z a i,z \ v ii z )-> where Vi is a vertex of Cd (ur) 
and z is a single bit that records whether or not a marked vertex has been found. Given a 
subcube C, let v (C) be the "corner" vertex of C; that is, the vertex that is minimal in all d 
coordinates. Then the initial state when searching C will be \v (C) , 0). Beware, however, 
that "initial state" in this context just means the state |s) from Section 114.6.11 Because 
of the way amplitude amplification works, A will often be invoked on C with other initial 
states, and even run in reverse. 

Below we give pseudocode for A. Our procedure calls the three unitaries A, W, 
and S from Section 114.6.11 as subroutines. For convenience, we write Ar, Ar, Wr, Sr to 
denote the level of recursion that is currently active. 

Algorithm 112 (Ar) Searches a subcube C of size ur for the marked vertex, and amplifies 
the result to have larger probability. Default initial state: \v (C) ,0). 
If R = then: 

(1) Use classical C-local operations to visit all uq vertices of C in any order. At each 
Vi S C, use a query transformation to map the state \vi,z) to \ 

(2) Return to v(C). 

If R > 1 then: 
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(1) Let vtlr be the smallest integer such that 2m,R + 1 > (tir/ur-i)^ . 

(2) CallA R . 

(3) For i = 1 to rriR, call Wr, then A^ 1 , then Sr, then Ar. 

Suppose Ar is run on the initial state \v (C) , 0), and let C\, . . . , C nR / m be the 
minimal subcubes in C — meaning those of size no- Then the final state after Ar terminates 
should be 

n R /no 



1 



- ; - ^ \v(Ci),0) 

V n R/ n o ~i 

if C does not contain the marked vertex. Otherwise the final state should have non- 
negligible overlap with \v (Ci*) ,1), where Cj* is the minimal subcube in C that contains 
the marked vertex. In particular, if R = 0, then the final state should be \v (C) ,1) if C 
contains the marked vertex, and \v (C) ,0) otherwise. 

The two phase-flip subroutines, Wr and Sr, are both trivial to implement. To 
apply Wr, map each basis state \vi,z) to (— l) z \vi,z). To apply Sr, map each basis state 
\vi,z) to —\vi,z) if Vi = v (C) for some subcube C of size ur, and to \vi,z) otherwise. 
Below we give pseudocode for Ar. 

Algorithm 113 (Ar) Searches a subcube C of size ur for the marked vertex. Default 
initial state: \v (C) , 0) . 

(1) Partition C into ur/ur-i smaller subcubes C\, . . . , C nR / TlR _ 1 , each of size hr-\. 

(2) For all j 6 {1, . . . , d} , let Vj be the set of corner vertices v (Cj) that differ from v (C) 
only in the first j coordinates. Thus Vq = {v(C)}, and in general \Vj\ = £ J R . For 
j = 1 to d, let \Vj) be the state 

l R v(Ci)eVj 

Apply a sequence of transformations U\, U2, ■ ■ ., Ud where Uj is a unitary that maps 
\Vj-i) to \Vj) by applying C-local unitaries that move amplitude only along the j th 
coordinate. 

(3) Call Ar-\ recursively, to search C±, . . . ,C JlR / nR _ l in superposition and amplify the 
results. 

If Ar is run on the initial state \v (C) , 0), then the final state should be 

1 n R /no 



\Jn R lnR^ 



i=i 



where \(pi) is the correct final state when Ar-i is run on subcube Ci with initial state 
\v (Ci) ,0). A key point is that there is no need for Ar to call Ar-\ twice, once to compute 
and once to uncompute — for the uncomputation is already built in to A. This is what will 
enable us to prove an upper bound of O (y/n) instead of O ( v / n2 i? ) = O ( y/n poly log n). 
We now analyze the running time of A. 
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Lemma 114 Ar uses O (n R ) steps. 

Proof. Let T4 (R) and Ta (R) be the total numbers of steps used by Ar and Ar 
respectively in searching Cd (ur). Then we have T4 (0) = O (1), and 

T A (R) < (.2m R + 1) T A (R) + 2m R , 
T A (R) < dn R /d + T A (R-l) 

for all R > 1. For Wr and Sr can both be implemented in a single step, while Ar uses 
Mr = dn 1 ^ steps to move the robot across the hypercube. Combining, 

T A (R) < (2m R + 1) (dn]( d + T A (R- 1)) + 2m R 

< ((nR/nR^r + 2) (dn R /d + T A (R- 1)) + {hr/ur^Y + 1 

= O {{nR/nR^r n R /d ) + {{ur/hr-iY + 2) T A (R - 1) 

= O {[n R /nR^rn R /d ) + (ur/ur-i)^ Ta (R-l) 

= O {in R /n R ^iY n R /d + (n R /n R - 2 Y H \~ (nR/n Y n\ /d ^ 




= O (n R ) . 

Here the second line follows because 2tur + 1 < {ur/hr-xY + 2, the fourth because the 
{ur/ur^iY terms increase doubly exponentially, so adding 2 to each will not affect the 

asymptotics; the seventh because nf = ft (^(nf +1 )^, the eighth because n#_i < n R ; and 

the last because /3fi > 1/3 > 1/d, hence ra^ - ^ < 1. ■ 

Next we need to lower-bound the success probability. Say that A or A "succeeds" 
if a measurement in the standard basis yields the result \v (Q*) , 1), where C«* is the minimal 
subcube that contains the marked vertex. Of course, the marked vertex itself can then be 
found in no = O (1) steps. 

Lemma 115 Assuming there is a unique marked vertex, Ar succeeds with probability Q (l/n] 

Proof. Let P4 (R) and Pa {R) be the success probabilities of Ar and Ar respec- 
tively when searching (ur). Then clearly P4 (0) = 1, and Pa (R) = (ur-i/ur) Pa {R — 1) 
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for all R > 1. So by Lemma I1U9I 

Pa (R) > U - I {2m R + if P A (R)j (2m R + l) 2 P A (R) 

1 - \ (2m R + l) 2 ?2=±P A (R - 1)) (2m R + l) 2 "^P A (R - 1) 
3 n R I n R 



1 - \ {n R /n R - X ) 2 » ?*=±P A (R - 1)) (n R /n R -x)^ ^±P A (R - 1) 
3 n R J n R 

1 - i (nR^/riR) 1 - 2 ^ (nfl-i/nfl) 1 - 2 " P4 (12 - 1) 

R 

> {no/n R ) l -^J{ (l-l (uR-t/nR) 1 - 2 ^ 
^(no/n^-^nf 1 

r=l V 



Here the third line follows because 2m R + 1 > ur-i/ur and the function x — ^x 2 is 
nondecreasing in the interval [0, 1]; the fourth because P A {R — 1) < 1; the sixth because 
TiR-i < ra^; and the last because /3 < 1 and u < 1/2, the n/j's increase doubly exponentially, 
and no is sufficiently large. ■ 

Finally, take A R itself and amplify it to success probability Q (1) by running it 
0(n^ 2 ^) times. This yields an algorithm for searching d {n R ) with overall running time 
O (n 1 ^ , which implies that Q (0R (1 \C d (n R j) = O (n^ /2 ) . 

All that remains is to handle values of n that do not equal n R for any R. The so- 
lution is simple: first find the largest R such that n R < n. Then set n' = n R |~n 1//rf /£r\ , and 
embed d (n) into the larger hypercube (n'). Clearly Q ^OR^ 1 ) , (nj\ < Q (OR^ , Cd (n'] 

Also notice that n' = O (n) and that n' = O {tIrJ = O {^ R 2 ^j ■ Next partition (w!) 
into n! jn R sub cubes, each a copy of (jir). The algorithm will now have one additional 
level of recursion, which chooses a subcube of Cd (n!) uniformly at random, runs A R on 
that subcube, and then amplifies the resulting procedure (\/ n'/nRj times. The total 
time is now 

°(y|(M l/ ^< /2 ))-°(&j- ^). 

while the success probability is 0(1). This completes Theorem II 111 
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14.6.3 Dimension 2 

In the d = 2 case, the best we can achieve is the following: 

Theorem 116 Q (OR, £ 2 ) = O (y/Elog 5/2 nj . 

Again, we start with the single marked vertex case and postpone the general case 
to Sections MEM and MKE\ 

Theorem 117 Q (0R (1) ,£ 2 ) = O (^log 3/2 n). 

For d > 3, we performed amplification on large (greater than O (l/n 1_2/i )) proba- 
bilities only once, at the end. For d = 2, on the other hand, any algorithm that we construct 
with any nonzero success probability will have running time Q(y/n), simply because that 
is the diameter of the grid. If we want to keep the running time 0(y/n), then we can 
only perform O (1) amplification steps at the end. Therefore we need to keep the success 
probability relatively high throughout the recursion, meaning that we suffer an increase in 
the running time, since amplification to high probabilities is less efficient. 

The procedures Ar, Ar, Wr, and Sr are identical to those in Section Il4, 6. 21 all 
that changes are the parameter settings. For all integers R > 0, we now let ur = £q R , for 
some odd integer £q > 3 to be set later. Thus, Ar and Ar search the square grid £ 2 { n n) of 
size £ R x £ R . Also, let m = (£q — 1) /2; then applies m steps of amplitude amplification 
to Ar, 

We now prove the counterparts of Lemmas 11141 and 11151 for the two-dimensional 

case. 

Lemma 118 .Ar uses O (R£q +1 ^J steps. 

Proof. Let T4 (R) and Ta (R) be the time used by Ar and Ar respectively in 
searching £2 (jir). Then T4 (0) = 1, and for all R > 1, 

T A (R) < (2m + 1) T A (R) + 2m, 
T A (R) < 2n l l 2 +T A (R-1). 

Combining, 

Ta (R) < (2m + 1) (2n R /2 + T A {R- 1)) + 2m 
= £ (2£ R + T A (R-1)) +4-1 
= o (£ R+l + £ T A (R - 1)) 

= O (R£ R+1 ) . 

■ 

Lemma 119 Ar succeeds with probability Q(l/R). 
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Proof. Let P4 (R) and Pa (R) be the success probabilities of Ar and Ar respec- 
tively when searching £2 (nil)- Then Pa (R) = Pa (R ~ 1) /^o f° r all i? > 1. So by Lemma 
11091 and using the fact that 2m + 1 = £0, 

Pa (R) >(l- (2m 3 +1)2 ^ (R)\ (2m + l) 2 P A (R) 
i _ t 2 P A (R-l) } # Pa(R-1) 
l 

Q(l/R). 



3 t% r° *g 



This is because 0, (R) iterations of the map xr := xr-i — \x 2 R _ 1 are needed to drop from 
(say) 2/Rto 1/R, and xq = Pa (0) = 1 is greater than 2/R. ■ 

We can amplify Ar to success probability 0, (1) by repeating it O (^/Rj times. 

This yields an algorithm for searching £2 ( n R) that uses 

steps in total. We can minimize this expression subject to £q R = hr by taking £q to be 

constant and R to be (logn^), which yields Q ^OR^,/^ {ur}] = O (^/tTr log Ur 2 ^ . If 

n is not of the form £q R , then we simply find the smallest integer R such that n < £q R , and 
embed £2 (n) m the larger grid £2 (^o^)- Since £q is a constant, this increases the running 
time by at most a constant factor. We have now proved Theorem II 171 

14.6.4 Multiple Marked Items 

What about the case in which there are multiple i's with X{ = 1? If there are k marked 
items (where k need not be known in advance), then Grover's algorithm can find a marked 
item with high probability in O (^Jnjk\ queries, as shown by Boyer et al. [Hfij . In our 
setting, however, this is too much to hope for — since even if there are many marked vertices, 
they might all be in a faraway part of the hypercube. Then f2 (n 1//rf ) steps are needed, 
even if \Jnjk < n 1 ^. Indeed, we can show a stronger lower bound. Recall that OR^ is 
the problem of deciding whether there are no marked vertices or exactly k of them. 

Theorem 120 For all constants d > 2, 

Jn 



Q(0R( fc \£ d ) =n 



Proof. For simplicity, we assume that both k l / d and (n/3 d k) l ^ d are integers. (In 

the general case, we can just replace k by f/c 1 /'^ and n by the largest number of the form 

(3m [/c 1 / d ]) a! which is less than n. This only changes the lower bound by a lower order 
term.) 

We use a hybrid argument almost identical to that of Theorem 11071 Divide Cd 
into n/k subcubes, each having k vertices and side length k 1 ^. Let S be a regularly-spaced 
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set of M = n/ (3 rf /c) of these subcubes, so that any two subcubes in S have distance at least 
2k 1 / d from one another. Then choose a subcube Cj € S uniformly at random and mark 
all k vertices in Cj. This enables us to consider each Cj G S itself as a single vertex (out 
of M in total), having distance at least 2k 1 / d to every other vertex. 

More formally, given a subcube Cj 6 S, let Cj be the set of vertices consisting of 
Cj and the 3 d — 1 subcubes surrounding it. (Thus, Cj is a subcube of side length 3k 1 / d .) 
Then the query magnitude of Cj after the t th query is 

where Xq is the all-zero input. Let T be the number of queries, and let w = T/ (ck 1 / d ) for 
some constant c > 0. Then as in Theorem 11071 there must exist a subcube Cj* such that 



w— 1 



J - M n 

Let Y" be the input which is 1 in Cj* and elsewhere; then let X q be a hybrid input which 
is Xq during queries 1 to T — qck 1 ' d , but Y during queries T — qck x l d + 1 to T . Next let 

Then as in Theorem 11071 for all c < 1 we have D (q — 1, q) < 4r^» . For in the ck ' 

queries from T — qck l l d + 1 through T — (q — 1) ck 1 /' 1 , no amplitude originating outside Cj* 
can travel a distance k l / d and thereby reach Cj*. Therefore switching from X q _\ to X q 
can only affect amplitude that is in Cj* immediately after query T - qck 1 / d . It follows that 



5=1 g=l V 

Hence T = (^/n/A; 1 / 2 " 1 ^) for constant d, since assuming the algorithm is correct we need 
D(0,w) =n(l). m 

Notice that if k « n, then the bound of Theorem 11201 becomes n (n 1 ^) which is 
just the diameter of Cd- Also, if d = 2, then 1/2 — 1/d = and the bound is simply O 
independent of /c. The bound of Theorem ll20l can be achieved (up to a constant factor that 
depends on d) for d > 3, and nearly achieved for d = 2. We first construct an algorithm 
for the case when k is known. 

Theorem 121 

(i) Ford> 3, 



«(°R<^)=o(_V»_) 
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(ii) For d = 2, 

Q (ORW,£ 2 ) = O (v^log 3/2 n) . 

To prove Theorem 11211 we first divide Cd(n) into n/7 subcubes, each of size 
ji/d x • • • x 7 1 / d (where 7 will be fixed later). Then in each subcube, we choose one vertex 
uniformly at random. 

Lemma 122 If 7 > k, then the probability that exactly one marked vertex is chosen is at 
least fe/7 — (fc/7) 2 . 

Proof. Let x be a marked vertex. The probability that x is chosen is 1 /j. Given 
that x is chosen, the probability that one of the other marked vertices, y, is chosen is if x 
and y belong to the same subcube, or I/7 if they belong to different subcubes. Therefore, 
the probability that x alone is chosen is at least 

1 (l k ~ l \> 1 (l k \ 

7 V 7 / TV 7/ 

Since the events "x alone is chosen" are mutually disjoint, we conclude that the probability 
that exactly one marked vertex is chosen is at least fe/7 — (fc/7) 2 . ■ 

In particular, fix 7 so that 7/3 < k < 2*y/3; then Lemma |122I implies that the 
probability of choosing exactly one marked vertex is at least 2/9. The algorithm is now as 
follows. As in the lemma, subdivide Cd (n) into n/7 subcubes and choose one location at 
random from each. Then run the algorithm for the unique-solution case ( Theorem 111 II or 
I117J1 on the chosen locations only, as if they were vertices of Cd (n/7). 

The running time in the unique case was O (\/np)j for d > 3 or 

O^kg* (»/ 7 )) -O^log^n) 

for d = 2. However, each local unitary in the original algorithm now becomes a unitary 
affecting two vertices v and w in neighboring subcubes C v and C w . When placed side by 
side, C v and C w form a rectangular box of size 27-^ x j 1 ^ x • • • x j 1 ^. Therefore the 
distance between v and w is at most (d + 1) j 1 ^. It follows that each local unitary in the 
original algorithm takes O (e^y 1 ^) time in the new algorithm. For d > 3, this results in an 
overall running time of 

For d = 2 we obtain 
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14.6.5 Unknown Number of Marked Items 

We now show how to deal with an unknown k. Let OR*-- fc ) be the problem of deciding 
whether there are no marked vertices or at least k of them, given that one of these is true. 

Theorem 123 

(i) For d>3, 



Q (0R<«£,)= (-^) 
(ii) For d = 2, 



Q(OR^ k \£ 2 ) =o(v^log 5/2 n 
Proof. We use the straightforward 'doubling' approach of Boyer et al. 

(1) For j = to log 2 (n/k) 

• Run the algorithm of Theorem 11211 with subcubes of size 7,- = 2 3 k. 

• If a marked vertex is found, then output 1 and halt. 

(2) Query a random vertex v, and output 1 if v is a marked vertex and otherwise. 

Let k* > k be the number of marked vertices. If k* < n/3, then there exists a 
j < log2 (n/k) such that 7j/3 < k* < 2^/3. So Lemma T122I implies that the j th iteration 
of step (1) finds a marked vertex with probability at least 2/9. On the other hand, if 
k* > n/3, then step (2) finds a marked vertex with probability at least 1/3. For d > 3, the 
time used in step (1) is at most 



log 2 (n/fe) 



l/2-l/d jfcl/2-l/d 



log 2 (ra/fc) 

E 



2 i(l/2-l/d) 
j=0 



o- Jn 



the sum in brackets being a decreasing geometric series. For d = 2, the time is O ^-y/nlog 5 / 2 n 
since each iteration takes O i^-Jn log 3 / 2 nj time and there are at most logn iterations. In 

neither case does step (2) affect the bound, since k < n implies that n 1 ^ < ^/n/k 1 ^ 2 ^ 1 ^ 1 . 
m 

Taking k = 1 gives algorithms for unconstrained OR with running times 0(y/n) 
for d > 3 and 0(^/n\og > / 2 n) for d = 2, thereby establishing Theorems II 101 and II 161 
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14.7 Search on Irregular Graphs 

In Section 114.21 we claimed that our divide-and-conquer approach has the advantage of 
being robust: it works not only for highly symmetric graphs such as hypercubes, but for 
any graphs having comparable expansion properties. Let us now substantiate this claim. 

Say a family of connected graphs {G n = (V n ,E n )} is d- dimensional if there exists 
a k > such that for all n, £ and v £ V n , 

\B(v,£)\ >min U,t d ,n\ , 

where B(v,£) is the set of vertices having distance at most I from v in G n . Intuitively, 
G n is d-dimensional (for d > 2 an integer) if its expansion properties are at least as good 
as those of the hypercube £d(n). 5 It is immediate that the diameter of G n is at most 
{n/K) l/d . Note, though, that G n might not be an expander graph in the usual sense, since 
we have not required that every sufficiently small set of vertices has many neighbors. 
Our goal is to show the following. 

Theorem 124 If G is d- dimensional, then 

(i) For a constant d > 2, 

Q (OR, G)=0 (v^polylog n) . 

(ii) For d = 2, 

Q(OR,G) = ^2°(^^). 

In proving part (i), the intuition is simple: we want to decompose G recursively 
into subgraphs (called clusters), which will serve the same role as subcubes did in the 
hypercube case. The procedure is as follows. For some constant ri\ > 1, first choose 
[n/ni] vertices uniformly at random to be designated as 1-pegs. Then form 1-clusters by 
assigning each vertex in G to its closest 1-peg, as in a Voronoi diagram. (Ties are broken 
randomly.) Let v (C) be the peg of cluster C. Next, split up any 1-cluster C with more 
than n\ vertices into \\C\ /n{\ arbitrarily-chosen 1-clusters, each with size at most n\ and 
with v (C) as its 1-peg. Observe that 



\\Ci\l 




n 


< 2 




n\ 




m 



where n = \C\ \ + • • • + |CY n / ni -i |. Therefore, the splitting-up step can at most double the 
number of clusters. 

In the next iteration, set n2 = n\ , for some constant j3 E (2/d, 1). Choose 
2 [71/712] vertices uniformly at random as 2-pegs. Then form 2-clusters by assigning each 
1-cluster C to the 2-peg that is closest to the 1-peg v(C). Given a 2-cluster C", let \C'\ 
be the number of 1-clusters in C' . Then as before, split up any C 1 with \C'\ > 712/711 
into [| C'\ I (712/7*1)] arbitrarily-chosen 2-clusters, each with size at most nijn\ and with 

In general, it makes sense to consider non-integer d as well. 
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v (C) as its 2-peg. Continue recursively in this manner, setting ur = n^_-y and choosing 
2-R-i ^n/rij{\ vertices as i?-pegs for each R. Stop at the maximum R such that tir < n. 
For technical convenience, set uq = 1, and consider each vertex v to be the 0-peg of the 
0-cluster {v}. 

At the end we have a tree of clusters, which can be searched recursively just as 
in the hypercube case. In more detail, basis states now have the form \v, z, C), where v is 
a vertex, z is an answer bit, and C is the (label of the) cluster currently being searched. 
(Unfortunately, because multiple -R-clusters can have the same peg, a single auxiliary qubit 
no longer suffices.) Also, let K' (C) be the number of (R — l)-clusters in i?-cluster C; then 
K' (C) < K (R) where K (R) = 2 \n R /n R -x\ . UK' (C) < K (R), then place K (R)-K' (C) 
"dummy" (R — l)-clusters in C, each of which has (R — l)-peg v (C). 

The algorithm Ar from Section 114.6.21 now does the following, when invoked on 
the initial state \v (C) , 0, C) , where C is an _R-cluster. If R = 0, then Ar uses a query trans- 
formation to prepare the state \v (C) , 1, C) if v (C) is the marked vertex and \v (C) , 0, C) 
otherwise. If R > 1 and C is not a dummy cluster, then Ar performs tur steps of amplitude 
amplification on Ar, where uir is the largest integer such that 2rriR + 1 < -y/n/j/re^i. 6 If 
C is a dummy cluster, then Ar does nothing for an appropriate number of steps, and then 
returns that no marked item was found. 

We now describe the subroutine Ar, for R > 1. When invoked with \v (C) , 0, C) 
as its initial state, Ar first prepares a uniform superposition 

K(R) 

TO g> (0,0,0. 

It then calls Ar-i recursively, to search Cx, • • • ,Cjc(r) in superposition and amplify the 
results. 

For R > 1, define the radius of an i?-cluster C to be the maximum, over all 
(R — l)-clusters C in C, of the distance from v (C) to v (C). Also, call an iZ-cluster good 
if it has radius at most £r, where £r = (^n^hm) 1 ^. 

Lemma 125 With probability 1 — o(l) over the choice of clusters, all clusters are good. 

Proof. Let v be the (R — l)-peg of an (R — l)-cluster. Then \B(v,£)\ > nl d , 
where B (v , £) is the ball of radius £ about v. So the probability that v has distance greater 
than £r to the nearest -R-peg is at most 

( 1 g£V W/nJ,1 <f 1 21nny/»* ^ 1 
\ n J \ n/riRj n 2 

Furthermore, the total number of pegs is easily seen to be O (n). It follows by the union 
bound that every (R — l)-peg for every R has distance at most £r to the nearest -R-peg, 
with probability 1 — O (1/n) = 1 — o (1) over the choice of clusters. ■ 

We now analyze the running time and success probability of Ar. 

6 In the hypercube case, we performed fewer amplifications in order to lower the running time from 
y^polylogn to y/n. Here, though, the splitting-up step produces a polylogn factor anyway. 
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Lemma 126 



Ar uses steps, assuming that all clusters are good. 



Proof. Let T A (R) and T A (R) be the time used by Ar and Ar respectively in 
searching an .R-cluster. Then we have 



T A (R) < VnR/nR-iT A (R) , 
T A (R) <£r + T a (R- 1) 



with the base case T A (0) = 1. Combining, 



T A (R) < VnR/riR-i {£r + T A (R- 1)) 



< V n R/ n R-lZn + V n R/ n R-2tR-l H 1" V n R/ n oh 

, — ^ ( (n R lnn) 1/d (nilnn) 1/c! \ 
= v n R ■ u — ; — 1 1 f= — 

y y/URli ^ J 

= ^T R (in 1 /' n) ■ O (n X l d ~^ + ... + n V«HV 2 ) 

= VnH (inV-n) • O (n^ 2 + (nj^ 2 ) ^ + • • • + (nj^ 2 )^" 1 ) 
= o(^log 1/d n) , 

where the last line holds because [5 > 2/d and therefore n^ d- ^ 2 < 1. ■ 

Lemma 127 succeeds with probability Q (1/polylogn^) m searching a graph of size 
n = riR, assuming there is a unique marked vertex. 

Proof. For all R > 0, let Cr be the i?-cluster that contains the marked vertex, 
and let P A (R) and P A (R) be the success probabilities of Ar and Ar respectively when 
searching Cr. Then for all R > 1, we have P4 (R) = P A (R-l)/ (2K (R)), and therefore 

Pa (R) >(l~ {2mR 3 +1)2 PA (R?j (2m R + l) 2 P A (R) 

( (2m R + l) 2 P A (R-1) \ fn P A (R-l) 
= { 1 3 2-K[kT) {2mR + l) 2K(R) 

= n(p A (R-i)) 

= Q (1/ polylogrifi) . 

Here the third line holds because (2niR + l) 2 « ur/ur^i w K {R) /2, and the last line 
because R = Q (log log n^). ■ 

Finally, we repeat «4r itself O(polylogn^) times, to achieve success probability 
using O (y / nR poly log n^) steps in total. Again, if n is not equal to ur for any 
i?, then we simply find the largest R such that ur < n, and then add one more level of 
recursion that searches a random i?-cluster and amplifies the result (^^/n/njij times. The 
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resulting algorithm uses O (y^polylogra) steps, thereby establishing part (i) of Theorem 
11241 for the case of a unique marked vertex. The generalization to multiple marked vertices 
is straightforward. 

Corollary 128 If G is d- dimensional for a constant d > 2, then 



Q (OR« G ).o(^«) 



Proof. Assume without loss of generality that k = o (n) , since otherwise a marked 
item is trivially found in O (n 1//rf ) steps. As in Theorem 11231 we give an algorithm B con- 
sisting of log 2 (n/k) + 1 iterations. In iteration j = 0, choose \n/k~\ vertices . . . , WY n i^i 
uniformly at random. Then run the algorithm for the unique marked vertex case, but 
instead of taking all vertices in G as 0-pegs, take only w\, . . . , u>[Wfc"i • On the other hand, 
still choose the 1-pegs, 2-pegs, and so on uniformly at random from among all vertices in 
G. For all R, the number of -R-pegs should be \{n/k) /ur\. In general, in iteration j 
of £>, choose |~n/ (2 J &)] vertices w\, . . . , W\ n /{2ik)~} uniformly at random, and then run the 
algorithm for a unique marked vertex as if u>i, . . . ,Wr n /r 2 ik)'] were the only vertices in the 
graph. 

It is easy to see that, assuming there are k or more marked vertices, with proba- 
bility $7 (1) there exists an iteration j such that exactly one of wi, . . . , u>r n i s marked. 
Hence B succeeds with probability f2 (1). It remains only to upper-bound i3's running time. 

In iteration j, notice that Lemma ri25l goes through if we use £^ := (~2iknn In 
instead of £r. That is, with probability 1 — O (k/n) = 1 — o (1) over the choice of clusters, 
every i?-cluster has radius at most . So letting Tjy (R) be the running time of Ar on 
an i?-cluster, the recurrence in Lemma 11261 becomes 

T A (R) < y/riR/nR-! (i^ +T A (R- 1)) = O {Vk log (n/k)) 1/d 

which is 

O 



v^log 1/d ¥ 



\(2ik) l ' 2 - l ' d ) 

if hr = [nj {2?k\) . As usual, the case where there is no R such that ur = [nj [2?Ky\ is 
trivially handled by adding one more level of recursion. If we factor in the 0(1/ polylog ur) 
repetitions of Ar needed to boost the success probability to Q (1), then the total running 
time of iteration j is 

/ V^poiyiog^A 



O 



/2-l/d 



Therefore B's running time is 

/ log 2 (n/fc) 



| ^ yjn polylog n \ ( y/n polylog n 
u \ (2ik) 1/2 - 1/d ) ~ V k 1 / 2 - 1 / d 
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For the d = 2 case, the best upper bound we can show is y / n2°( v/logra ) • This 
is obtained by simply modifying A R to have a deeper recursion tree. Instead of taking 
n R = Kr-i f° r some fj,, we take n R = 2 v/logn n/j_i = 2^ logn , so that the total number of 
levels is [v^og n] . Lemma ll 251 goes through without modification, while the recurrence for 
the running time becomes 

T A (R) < VriR/nR-i (£ R + T A (R- 1)) 

< \/n R /n R -i£ R + ^n R jn R ^R-\ H V s/nRpnoh 




= v ^2°(^ g ^). 



Also, since the success probability decreases by at most a constant factor at each level, we 
have that P A (R) = 2~°( v/I ° g "), and hence 2°( v/I ° g ") amplification steps suffice to boost 
the success probability to SI (1). Handling multiple marked items adds an additional factor 
of logn, which is absorbed into 2°( v/logri ) . This completes Theorem 11241 



14.7.1 Bits Scattered on a Graph 

In Section fl4, 31 we discussed several ways to pack a given amount of entropy into a spatial 
region of given dimensions. However, we said nothing about how the entropy is distributed 
within the region. It might be uniform, or concentrated on the boundary, or distributed in 
some other way. So we need to answer the following: suppose that in some graph, h out 
of the n vertices might be marked, and we know which h those are. Then how much time 
is needed to determine whether any of the h is marked? If the graph is the hypercube 
for d > 2 or is d-dimensional for d > 2, then the results of the previous sections imply that 
O (-y/n poly logn) steps suffice. However, we wish to use fewer steps, taking advantage of 
the fact that h might be much smaller than n. Formally, suppose we are given a graph 
G with n vertices, of which h are potentially marked. Let OR^'-^ be the problem of 
deciding whether G has no marked vertices or at least k of them, given that one of these is 
the case. 

Proposition 129 For all integer constants d > 2, there exists a d- dimensional graph G 
such that 

Q(OR^ k \G) =n(n 1 / d 

Proof. Let G be the ci-dimensional hypercube C<i{n). Create h/k subcubes 
of potentially marked vertices, each having k vertices and side length k l l d . Space these 
subcubes out in Cd{n) so that the distance between any pair of them is VL (^(nk/h) 1 ^^ . 
Then choose a subcube C uniformly at random and mark all k vertices in C. This enables 
us to consider each subcube as a single vertex, having distance $7 ^(n/c/Zi) 1 ^ to every other 
vertex. The lower bound now follows by a hybrid argument essentially identical to that of 
Theorem ■ 



l/2-l/d N 
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In particular, if d = 2 then (y/n) time is always needed, since the potentially 
marked vertices might all be far from the start vertex. The lower bound of Proposition 
11291 can be achieved up to a polylogarithmic factor. 

Proposition 130 If G is d- dimensional for a constant d > 2, then 

q (or<^*\g) = o L 1 '* Q) 1/2 V Vyiog^ . 

Proof. Assume without loss of generality that k = o(h), since otherwise a marked 
item is trivially found. Use algorithm B from Corollary 11281 with the following simple 
change. In iteration j, choose \hj (2 J /c)] potentially marked vertices w\, . . . , Wr h /r 2 ik)'] um ~ 
formly at random, and then run the algorithm for a unique marked vertex as if wi, . . . , w\h/(2ik)~\ 
were the only vertices in the graph. That is, take w\, . . . , it»r/ l /(2ifc)l as 0-pegs; then for all 
R > 1, choose \hj (2-? /stir)] vertices of G uniformly at random as i?-pegs. Lemma |125I 

goes through if we use := (|^2 J fcn^ In j:) 1 ^ instead of £r. So following Corollary 11281 
the running time of iteration j is now 



if rifl = [h/ (2- 7 /c)). Therefore the total running time is 



(\og 2 (h/k) / u \ 



k j \ \k j k 



Intuitively, Proposition I1H0I savs that the worst case for search occurs when the h 
potential marked vertices are scattered evenly throughout the graph. 



14.8 Application to Disjointness 

In this section we show how our results can be used to strengthen a seemingly unrelated 
result in quantum computing. Suppose Alice has a string X = x% . . . x n £ {0, l} n , and 
Bob has a string Y = y\...y n G {0,1}™. In the disjointness problem, Alice and Bob 
must decide with high probability whether there exists an % such that cc, = y% = 1, using 
as few bits of communication as possible. Buhrman, Cleve, and Wigderson observed 
that in the quantum setting, Alice and Bob can solve this problem using only O (y^logn) 
qubits of communication. This was subsequently improved by H0yer and de Wolf |146j to 
O [^/nc log n ) , where c is a constant and log* n is the iterated logarithm function. Using 
the search algorithm of Theorem 11101 we can improve this to O {■s/n), which matches the 
celebrated f2 (\/n) lower bound of Razborov |199j . 

Theorem 131 The bounded-error quantum communication complexity of the disjointness 
problem is O (\/n). 




Proof. The protocol is as follows. Alice and Bob both store their inputs in 
a 3-D cube £3 (n) (Figure 114. 3j) : that is, they let Xjki = Xi and yjki = Hi, where i = 
n 2 / 3 j + n l ^k + 1 + 1 and j, k, I £ {0, . . . , n 1 / 3 — l} . Throughout, they maintain a joint state 
of the form 

^2 a j,k,l,z A ,z B ,c \Vjkh za) ® |c) <8> \v jkh z B ) , (14.1) 

where c is used for communication between the players, and za and zb store the answers to 
queries. Thus, whenever Alice is at location (J, k, I) of her cube, Bob is at location (J, k, I) 
of his cube. To decide whether there exists a (j, k, I) with Xjki = yjki = 1, Alice simply runs 
our search algorithm for an unknown number of marked items, but with two changes. First, 
after each query, Alice inverts her phase if and only if Xjj-i = yjki = 1; this requires 2 qubits 
of communication from Bob, to send yjki to Alice and then to erase it. Second, before 
each movement step, Alice tells Bob in which of the six possible directions she is going to 
move. That way, Bob can synchronize his location with Alice's, and thereby maintain the 
state in the form (jl4.1j) . This requires 6 qubits of communication from Alice, to send the 
direction to Bob and then to erase it. Notice that no further communication is necessary, 
since there are no auxiliary registers in our algorithm that need to be communicated. Since 
the algorithm uses O {\/n) steps, the number of qubits communicated in the disjointness 
protocol is therefore also O (\/n). ■ 

14.9 Open Problems 

As discussed in Section 114.4. 1\ a salient open problem raised by this work is to prove 
relationships among Z-local, C-local, and H-local unitary matrices. In particular, can any 
Z-local or H-local unitary be approximated by a product of a small number of C-local 
unitaries? Also, is it true that Q (/, G) = 9 (Q z (/, G)) = 9 (Q H (/, G)) for all /, Gl 

A second problem is to obtain interesting lower bounds in our model. For example, 
let G be a ^fn x ^fn grid, and suppose / (X) = 1 if and only if every row of G contains a 
vertex m with X{ = 1. Clearly Q (/, G) = O (n 3 / 4 ) , and we conjecture that this is optimal. 
However, we were unable to show any lower bound better than Q, {\fn). 

Finally, what is the complexity of finding a unique marked vertex on a 2-D square 
grid? As mentioned in Section 114.21 Ambainis, Kempe, and Rivosh |31| showed that 

Q (CR (1) ,£ 2 ) = O (y/nlogn). Can the remaining factor of log n be removed? 
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Chapter 15 

Quantum Computing and 
Postselection 

"Gill, in his seminal paper on probabilistic complexity classes, defined the class 
PP and asked whether the class was closed under intersection. In 1990, Fenner 
and Kurtz and later myself, decided to try a new approach to the question: 
Consider a class defined like PP but with additional restrictions, show that this 
class is closed under intersection and then show the class was really the same as 
PP." 

— Lance Fortnow, My Computational Complexity Web Log |113j 

(the approach didn't succeed, though as this chapter will show, all it was missing 
was quantum mechanics) 

Postselection is the power of discarding all runs of a computation in which a given 
event does not occur. Clearly, such an ability would let us solve NP-complete problems in 
polynomial time, since we could guess a random solution, and then postselect on its being 
correct. But would postselection let us do more than NP? Using a classical computer, the 
class of problems we could efficiently solve coincides with a class called BPP pat h, which was 
defined by Han, Hemaspaandra, and Thierauf |142j and which sits somewhere between MA 
and PP. 

This chapter studies the power of postselection when combined with quantum 
computing. In Section 115.11 I define a new complexity class called PostBQP, which is 
similar to BQP except that we can measure a qubit that has some nonzero probability of 
being |1), and assume the outcome will be |1). The main result is that PostBQP equals 
the classical complexity class PP. 

My original motivation, which I explain in Section [15.21 was to analyze the com- 
putational power of "fantasy" versions of quantum mechanics, and thereby gain insight into 
why quantum mechanics is the way it is. For example, I show in Section 115.21 that if we 
changed the measurement probability rule from \tp\ 2 to \ip\ p for some p ^ 2, or allowed linear 
but nonunitary gates, then we could simulate postselection, and hence solve PP-complete 
problems in polynomial time. I was also motivated by a concept that I call anthropic com- 
puting: arranging things so that you're more likely to exist if a computer produces a desired 
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output than if it doesn't. As a simple example, under the many-worlds interpretation of 
quantum mechanics, you might kill yourself in all universes where a computer's output is 
incorrect. My result implies that, using this "technique," the class of problems that you 
could efficiently solve is exactly PP. 

However, it recently dawned on me that the PostBQP = PP result is also in- 
teresting for purely classical reasons. In particular, it yields an almost-trivial, quantum 
computing based proof that PP is closed under intersection. This proof does not use ra- 
tional approximations, threshold polynomials, or any of the other techniques pioneered by 
Beigel, Reingold, and Spielman |47j in their justly-celebrated original proof. Another im- 
mediate corollary of my new characterization of PP is a result originally due to Fortnow and 
Reingold |115j : that PP is closed under polynomial-time truth-table reductions. Indeed, I 
can show that PP is closed under BQP truth-table reductions, which is a new result as far 
as I know. I conclude in Section fl5. 31 with some open problems. 

15.1 The Class PostBQP 

I hereby define a complexity class: 

Definition 132 PostBQP (Postselected Bounded-Error Quantum Polynomial- Time) is the 
class of languages L for which there exists a uniform family of polynomial- size quantum 
circuits such that for all inputs x, 

(i) At the end of the computation, the first qubit has a nonzero probability of being mea- 
sured to be |1). 

(ii) If x £ L, then conditioned on the first qubit being \1) , the second qubit is |1) with 
probability at least 2/3. 

(Hi) If x ^ L, then conditioned on the first qubit being \1) , the second qubit is |1) with 
probability at most 1/3. 

We can think of PostBQP as the "nondeterministic" version of BQP. Admittedly, 
there are already three other contenders for that title: QMA, defined by Watrous 239 ; 
QCMA, defined by Aharonov and Naveh |21j : and NQP, defined by Adleman, DeMarrais, 
and Huang (which turns out to equal coC=P jl()7j ). As we will see, PostBQP contains 
all of these as subclasses. 

It is immediate that NP C PostBQP C PP. For the latter inclusion, we can use 
the same techniques used by Adleman, DeMarrais, and Huang ^Hj to show that BQP C PP, 
but sum only over paths where the first qubit is |1) at the end. This is made explicit in 
Theorem IST1 of Chapter ITUl 

How robust is PostBQP? Just as Bernstein and Vazirani [HS] showed that in- 
termediate measurements don't increase the power of ordinary quantum computers, so it's 
easy to show that intermediate postselection steps don't increase the power of PostBQP. 
Whenever we want to postselect on a qubit being |1), we simply CNOT that qubit into a 
fresh ancilla qubit that is initialized to |0) and that will never be written to again. Then, 
at the end, we compute the AND of all the ancilla qubits, and swap the result into the 
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first qubit. It follows that we can repeat a PostBQP computation a polynomial number of 
times, and thereby amplify the probability gap from (1/3,2/3) to {2~ p<yTl \ 1 — 2 -p ( n )) for 
any polynomial p. 

A corollary of the above observations is that PostBQP has strong closure properties. 

Proposition 133 PostBQP is closed under union, intersection, and complement. Indeed, 
it is closed under BQP truth table reductions, meaning that PostBQP = BQPj^^L' where 
BQP^°^^ al is the class of problems solvable by a BQP machine that can make a polynomial 
number of nonadaptive classical queries to a PostBQP oracle. 

Proof. Clearly PostBQP is closed under complement. To show closure under 
intersection, let L\,Li2 £ PostBQP. Then to decide whether x £ L% n L2, run amplified 
computations (with error probability at most 1/6) to decide if x G L\ and if x € L2, 
postselect on both computations succeeding, and accept if and only if both accept. It 
follows that PostBQP is closed under union as well. 

In general, suppose a BQP IT ^ *J^2cal macnme M submits queries q%, ... , q p ( n ) to the 
PostBQP oracle. Then run amplified computations (with error probability at most, say, 
10 p( n ) ) to decide the answers to these queries, and postselect on all p (n) of them succeeding. 
By the union bound, if M had error probability e with a perfect PostBQP oracle, then its 
new error probability is at most e+1/10, which can easily be reduced through amplification. 
■ 

One might wonder why Proposition 11331 doesn't go through with adaptive queries. 
The reason is subtle: suppose we have two PostBQP computations, the second of which relies 
on the output of the first. Then even if the first computation is amplified a polynomial 
number of times, it still has an exponentially small probability of error. But since the 
second computation uses postselection, any nonzero error probability could be magnified 
arbitrarily, and is therefore too large. 

I now prove the main result. 

Theorem 134 PostBQP = PP. 

Proof. We have already observed that PostBQP C PP. For the other di- 
rection, let / : {0, l} n — ► {0, 1} be an efficiently computable Boolean function and let 
s = \{x : f (x) = 1}|. Then we need to decide in PostBQP whether s < 2 n_1 or s > 2 n_1 . 
(As a technicality, we can guarantee using padding that s > 0.) 

The algorithm is as follows: first prepare the state 2~ n l 2 Y^xe{o i} n l x ) 1/ ( x ))- 
Then following Abrams and Lloyd apply Hadamard gates to all n qubits in the first 
register and postselect 1 on that register being |0)® n , to obtain |0)® n where 

... (2™-s)|0) + s|l) 



'(2 n - s y + s 2 

1 Postselection is actually overkill here, since the first register has at least 1/4 probability of being |0)® n . 
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Figure 15.1: If s and 2 n — 2s are both positive, then as we vary the ratio of (5 to a, we 
eventually get close to |+) = (|0) + |1)) /v2 (dashed lines). On the other hand, if 2 n — 2s 
is not positive (dotted line), then we never even get into the first quadrant. 



Next, for some positive real numbers a, (3 to be specified later, prepare a |0) \ip}+(3 11) H | 

where 

y/T/2 (2 n ) |0) + ^/T/2 (2 n - 2s) |1> 



H 



(2 r 



s) 2 + s 2 



is the result of applying a Hadamard gate to 
being |1). This yields the reduced state 



Then postselect on the second qubit 
as |0)+/Vl/2(2 n - 2s) |1) 



a 2 s 2 + (02/2) ( 2 n _ 2s) 2 



in the first qubit. 

Suppose s < 2™" 1 , so that s and ^/l/2(2 n - 2s) are both at least 1. Then we 
claim there exists an integer i £ [— n, n] such that, if we set (3/a = 2 l , then |^2*) is close to 
the state |+) = (|0) + |1)) /y/2: 

\(+\<px)\>±±^l > 0.985. 

For since ^/l/2 (2 n — 2s) / s lies between 2 _n and 2 n , there must be an integer i G [— n, n — 1] 
such that |(/9 2 i) and Iw-n) ^ an on opposite sides of |+) in the first quadrant (see Figure 
115. 1|) . So the worst case is that (+1^) = (+\ L P2 i + 1 )> which occurs when \ f>2 i ) = \/ 2/3 1 0) + 
y^lO) and |y> 2 *+i) = V^T^ |0) + y^?3 |0). On the other hand, supposes > 2 n_1 , so that 
\/l/2 (2 n — 2s) < 0. Then |^2») never lies in the first or third quadrants, and therefore 
K+lfftj*)! < l/v / 2< 0.985. 



196 



It follows that, by repeating the whole algorithm n (2n + 1) times (as in Proposi- 
tion I133j) . with n invocations for each integer % G [— n, n], we can learn whether s < 2 n ~ l or 
s > 2 n_1 with exponentially small probability of error. ■ 

Combining Proposition ll33l with Theorem 11341 immediately yields that PP is closed 
under intersection, as well as under BQP truth-table reductions. 

15.2 Fantasy Quantum Mechanics 

"It is striking that it has so far not been possible to find a logically consis- 
tent theory that is close to quantum mechanics, other than quantum mechanics 
itself." 

— Steven Weinberg, Dreams of a Final Theory 211 

Is quantum mechanics an island in theoryspace? By "theoryspace," I mean the 
space of logically conceivable physical theories, with two theories close to each other if they 
differ in few respects. An "island" in theoryspace is then a natural and interesting theory, 
whose neighbors are all somehow perverse or degenerate. The Standard Model is not an 
island, because we do not know of any compelling (non-anthropic) reason why the masses 
and coupling constants should have the values they do. Likewise, general relativity is 
probably not an island, because of alternatives such as the Brans-Dicke theory. 

To many physicists, however, quantum mechanics does seem like an island: change 
any one aspect, and the whole theory becomes inconsistent or nonsensical. There are many 
mathematical results supporting this opinion: for example, Gleason's Theorem |127j and 
other "derivations" of the \ip\ 2 probability rule |93M252| : arguments for why amplitudes have 
to be complex numbers, rather than real numbers or quaternions [Hl \ I143j : and "absurd" 
consequences of allowing nonlinear transformations between states |151 11261 I191j . The 
point of these results is to provide some sort of explanation for why quantum mechanics 
has the properties it does. 

In 1998, Abrams and Lloyd [15^ suggested that computational complexity could 
also be pressed into such an explanatory role. In particular, they showed that under 
almost any nonlinear variant of quantum mechanics, one could build a "nonlinear quantum 
computer" able to solve NP-complete and even #P-complete problems in polynomial time. 2 
One interpretation of their result is that we should look very hard for nonlinearities in 
experiments! But a different interpretation, the one I prefer, is that their result provides 
independent evidence that quantum mechanics is linear. 3 

2 A caveat is that it remains an open problem whether this can be done fault-tolerantly. The answer 
might depend on the allowed types of nonlinear gate. On the other hand, if arbitrary 1-qubit nonlinear 
gates can be implemented without error, then even PSPACE-complete problems can be solved in polynomial 
time. This is tight, since nonlinear quantum computers can also be simulated in PSPACE. I will give more 
details in a forthcoming survey paper I12|. 

3 Note that I would not advocate this interpretation if it was merely (say) graph isomorphism that 
was efficiently solvable in nonlinear quantum mechanics, just as I do not take Shor's factoring algorithm as 
evidence for the falsehood of ordinary quantum mechanics. 1 will explain in |12| why I think this distinction, 
between NP-complete problems and specific NP-intermediate problems, is a justified one. 
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In this section I build on Theorem 11341 to offer similar "evidence" that quantum 
mechanics is unitary, and that the measurement rule is |^| 2 - 

Let BQP nu be the class of problems solvable by a uniform family of polynomial-size, 
bounded-error quantum circuits, where the circuits can consist of arbitrary 1- and 2-qubit 
invertible linear transformations, rather than just unitary transformations. Immediately 
before a measurement, the amplitude a x of each basis state \x) is divided by \jYly \ a y^ to 
normalize it. 



Proposition 135 BQP nu = PP. 



Proof. The inclusion BQP nu C PP follows easily from Adleman, DeMarrais, and 
Huang's proof that BQP C PP [16| . which does not depend on unitarity. For the other 
direction, by Theorem 11341 it suffices to show that PostBQP C BQP nu . To postselect on a 
qubit being |1), we simply apply the 1-qubit nonunitary operation 

1 

for some sufficiently large polynomial q. ■ 

Next, for any nonnegative real number p, define BQP p similarly to BQP, except 
that when we measure, the probability of obtaining a basis state \x) equals | ck^ | p / ]T] \ a y \ p 
rather than (a^l 2 . Thus BQP2 = BQP. Assume that all gates are unitary and that there 
are no intermediate measurements, just a single standard-basis measurement at the end. 

Theorem 136 PP C BQP p C PSPACE for all constants p / 2, with BQP p = PP when 
p G {4,6,8,...}. 

Proof. To simulate PP in BQP p , run the algorithm of Theorem 11341 having 

initialized O ^ j p ^ 2 j poly (n)^ ancilla qubits to |0). Suppose the algorithm's state at some 

point is a x \x), and we want to postselect on the event \x) E S, where S is a subset of 
basis states. Here is how: if p < 2, then for some sufficiently large polynomial q, apply 
Hadamard gates to c = 2q(n) / (2 — p) fresh ancilla qubits conditioned on \x) G S. The 
result is to increase the "probability mass" of each |x) G S from \a x \ p to 



2 -c/2 



O: , 



2 (2-p)c/2 \ a \P = 2?( n ) 



a. 



while the probability mass of each |x) ^ S remains unchanged. Similarly, if p > 2, then 
apply Hadamard gates to c = 2q(n)/ (p — 2) fresh ancilla qubits conditioned on \x) ^ 
S. This decreases the probability mass of each |x) ^ S from \a x \ p to 2 C • \2~ c / 2 a x \ P = 
2~<?( n ) |a :r | p , while the probability mass of each \x) G S remains unchanged. The final 
observation is that Theorem 11341 still goes through if p 7^ 2. For it suffices to distinguish 
the case K+l^)! > 0.985 from K+l^ 1 )! ^ l/V^ with exponentially small probability of 
error, using polynomially many copies of the state |(/?2 i )- But we can do this for any p, 
since all \ip\ p rules behave well under tensor products (in the sense that \af3\ p = \a\ p \(3\ p ). 
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The inclusion BQP p C PS PACE follows easily from the techniques used by Bern- 
stein and Vazirani |55| to show BQP C PSPACE. Let S be the set of accepting states; then 
simply compute Ylxes \ a x\ P an d ^2 x ^s \ a x\ P an d see which is greater. 

To simulate BQP p in PP when p £ {4,6,8, . . .}, we generalize the technique of 
Adleman, DeMarrais, and Huang which handled the case p = 2. As in Theorem 1571 in 
Chapter I1U1 assume that all gates are Hadamard or Toffoli gates; then we can write each 
amplitude a x as a sum of exponentially many contributions, a X) \ + • • • + cl x ,n, where each 
CLx i is a rational real number computable in classical polynomial time. Then letting S be 
the set of accepting states, it suffices to test whether 

x£S x£S 

= E E a ^ 

x&s \ie{i,...,7V} / 

= E E U a ^ 

x£S BC{l,...,N},\B\=pi£B 

is greater than Ylxgs \ a x\ P , which we can do in PP. ■ 



15.3 Open Problems 

The new proof that PP is closed under intersection came as a total surprise to me. But on 
reflection, it goes a long way toward convincing me of a thesis expressed in Chapter^ that 
quantum computing offers a new perspective from which to revisit the central questions of 
classical complexity theory. What other classical complexity classes can we characterize in 
quantum terms, and what other questions can we answer by that means? 

A first step might be to prove even stronger closure properties for PP. Recall 
from Proposition 11331 that PostBQP is closed under polynomial-time truth-table reductions. 
Presumably this can't be generalized to closure under Turing reductions, since if it could 
then we would have PP = P pp , which is considered unlikely. 4 But can we show closure 
under nonadaptive quantum reductions? More formally, let BQP PostBC ' p be the class of 
problems solvable by a BQP machine that can make a single quantum query, which consists 
of a list of polynomially many questions for a PostBQP oracle. Then does BQP PostB ^ p 
equal PostBQP? The difficulty in showing this seems to be uncomputing garbage after the 
PostBQP oracle is simulated. 

As for fantasy quantum mechanics, an interesting open question is whether BQP p = 
PP for all nonnegative real numbers p ^ 2. An obvious idea for simulating BQP P in PP 
would be to use a Taylor series expansion for the probability masses |a x | P - Unfortunately, 
I have no idea how to get fast enough convergence. 



4 Indeed, Beigel gB gave an oracle relative to which P NP <£_ PP. 
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Chapter 16 

The Power of History 



Quantum mechanics lets us calculate the probability that (say) an electron will 
be found in an excited state if measured at a particular time. But it is silent about 
multiple-time or transition probabilities: that is, what is the probability that the electron 
will be in an excited state at time ti, given that it was in its ground state at an earlier 
time to? The usual response is that this question is meaningless, unless of course the 
electron was measured (or otherwise known with probability 1) to be in its ground state 
at to- A different response — pursued by Schrodinger |213j . Bohm Bell [35]) Nelson 
|181j . Dieks and others — treats the question as provisionally meaningful, and then 
investigates how one might answer it mathematically. Specific attempts at answers are 
called "hidden-variable theories." 

The appeal of hidden- variable theories is that they provide one possible solution to 
the measurement problem. For they allow us to apply unitary quantum mechanics to the 
entire universe (including ourselves), yet still discuss the probability of a future observation 
conditioned on our current observations. Furthermore, they let us do so without making 
any assumptions about decoherence or the nature of observers. For example, even if an 
observer were placed in coherent superposition, that observer would still have a sequence 
of definite experiences, and the probability of any such sequence could be calculated. 

This chapter initiates the study of hidden variables from a quantum computing 
perspective. I restrict attention to the simplest possible setting: that of discrete time, 
a finite-dimensional Hilbert space, and a fixed orthogonal basis. Within this setting, I 
reformulate known hidden- variable theories due to Dieks and Schrodinger _213], and also 
introduce a new theory based on network flows. However, a more important contribution 
is the axiomatic approach that I use. I propose five axioms for hidden-variable theories, 
and then compare theories against each other based on which of the axioms they satisfy. A 
central question in this approach is which subsets of axioms can be satisfied simultaneously. 

In a second part of the chapter, I make the connection to quantum computing 
explicit, by studying the computational complexity of simulating hidden- variable theories. 
Below I describe the computational results. 
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16.1 The Complexity of Sampling Histories 

It is often stressed that hidden-variable theories yield exactly the same predictions as ordi- 
nary quantum mechanics. On the other hand, these theories describe a different picture of 
physical reality, with an additional layer of dynamics beyond that of a state vector evolving 
unitarily. I address a question that, to my knowledge, had never been raised before: what 
is the computational complexity of simulating that additional dynamics? In other words, 
if we could examine a hidden variable's entire history, then could we solve problems in 
polynomial time that are intractable even for quantum computers? 

I present strong evidence that the answer is yes. The Graph Isomorphism problem 
asks whether two graphs G and H are isomorphic; while given a basis for a lattice C 6 M. n , 
the Approximate Shortest Vector problem asks for a nonzero vector in C within a y/n 
factor of the shortest one. I show that both problems are efficiently solvable by sampling a 
hidden variable's history, provided the hidden-variable theory satisfies a reasonable axiom. 
By contrast, despite a decade of effort, neither problem is known to lie in BQP. Thus, 
if we let DQP (Dynamical Quantum Polynomial-Time) be the class of problems solvable 
in the new model, then this already provides circumstantial evidence that BQP is strictly 
contained in DQP. 

However, the evidence is stronger than this. For I actually show that DQP contains 
the entire class Statistical Zero Knowledge, or SZK. Furthermore, Chapter showed that 
relative to an oracle, SZK is not contained in BQP. Combining the result that SZK C DQP 
with the oracle separation of Chapter El one obtains that BQP 7^ DQP relative to an oracle 
as well. 

Besides solving SZK problems, I also show that by sampling histories, one could 
search an unordered database of N items for a single "marked item" using only O (iV 1 / 3 ) 
database queries. By comparison, Grover's quantum search algorithm 139 requires 
queries, while classical algorithms require G (N) queries. On the other hand, I also show 
that the iV 1/3 upper bound is the best possible — so even in the histories model, one cannot 
search an iV-item database in (logiV) c steps for some fixed power c. This implies that 
NP <f_ DQP relative to an oracle, which in turn suggests that DQP is still not powerful 
enough to solve NP-complete problems in polynomial time. 

At this point I should address a concern that many readers will have. Once we 
extend quantum mechanics by positing the "unphysical" ability to sample histories, isn't it 
completely unsurprising if we can then solve problems that were previously intractable? I 
believe the answer is no, for three reasons. 

First, almost every change that makes the quantum computing model more pow- 
erful, seems to make it so much more powerful that NP-complete and even harder problems 
become solvable efficiently. To give some examples, NP-complete problems can be solved 
in polynomial time using a nonlinear Schrodinger equation, as shown by Abrams and Lloyd 
|15j : using closed timelike curves, as shown by Brun [72] and Bacon 40 (and conjectured 
by Deutsch [H5)j or using a measurement rule of the form for any p 7^ 2, as shown in 
Chapter ED It is also easy to see that we could solve N P-complete problems if, given a 
quantum state \ip), we could request a classical description of \ip), such as a list of ampli- 
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tudes or a preparation procedure. By contrast, the DQP model is the first independently 
motivated model I know of that seems more powerful than quantum computing, but only 
slightly so. 2 Moreover, the striking fact that unordered search takes about iV 1 / 3 steps in 
the DQP model, as compared to N steps classically and N 1 / 2 quantum-mechanically, sug- 
gests that DQP somehow "continues a sequence" that begins with P and BQP. It would 
be interesting to find a model in which search takes N l / A or iV 1 / 5 steps. 

The second reason the results are surprising is that, given a hidden variable, the 
distribution over its possible values at any single time is governed by standard quantum 
mechanics, and is therefore efficiently samplable on a quantum computer. So if examining 
the variable's history confers any extra computational power, then it can only be because 
of correlations between the variable's values at different times. 

The third reason is the criterion for success. I am not saying merely that one 
can solve Graph Isomorphism under some hidden-variable theory; or even that, under any 
theory satisfying the indifference axiom, there exists an algorithm to solve it; but rather that 
there exists a single algorithm that solves Graph Isomorphism under any theory satisfying 
indifference. Thus, we must consider even theories that are specifically designed to thwart 
such an algorithm. 

But what is the motivation for these results? The first motivation is that, within 
the community of physicists who study hidden- variable theories such as Bohmian mechan- 
ics, there is great interest in actually calculating the hidden-variable trajectories for specific 
physical systems |1901 1140*] . My results show that, when many interacting particles are 
involved, this task might be fundamentally intractable, even if a quantum computer were 
available. The second motivation is that, in classical computer science, studying "unreal- 
istic" models of computation has often led to new insights into realistic ones; and likewise I 
expect that the DQP model could lead to new results about standard quantum computation. 
Indeed, in a sense this has already happened — for the collision lower bound of Chapter 
grew out of work on the BQP versus DQP question. 

16.2 Outline of Chapter 

Sections 116.31 through 116.6.21 develop the axiomatic approach to hidden variables; then 
Sections ll6.7l through ll6.1()l studv the computational complexity of sampling hidden-variable 
histories. 

Section 116.31 formally defines hidden-variable theories in my sense; then Section 
116.3.11 contrasts these theories with related ideas such as Bohmian mechanics and modal 
interpretations. Section Tl6. 3. 21 addresses the most common objections to my approach: for 
example, that the implicit dependence on a fixed basis is unacceptable. 

In Section ll6.41 1 introduce five possible axioms for hidden-variable theories. These 
are indifference to the identity operation; robustness to small perturbations; commutativity 

For as Abrams and Lloyd |15j observed, we can so arrange things that = |0) if an NP-complete 
instance of interest to us has no solution, but \tj}) = y/l — e |0) + y/s |1) for some tiny e if it has a solution. 

2 One can define other, less motivated, models with the same property by allowing "non-collapsing mea- 
surements" of quantum states, but these models are very closely related to DQP. Indeed, a key ingredient 
in the results of this chapter will be to show that certain kinds of non-collapsing measurements can be 
simulated using histories. 
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with respect to spacelike-separated unitaries; commutativity for the special case of product 
states; and invariance under decomposition of mixed states into pure states. Ideally, a 
theory would satisfy all of these axioms. However, I show in Section 116.51 that no theory 
satisfies both indifference and commutativity; no theory satisfies both indifference and a 
stronger version of robustness; no theory satisfies indifference, robustness, and decomposi- 
tion invariance; and no theory satisfies a stronger version of decomposition invariance. 

In Section fl6. 61 1 shift from negative to positive results. Section fl6. 6. II presents a 
hidden-variable theory called the flow theory or J-T, which is based on the Max-Flow-Min- 
Cut theorem from combinatorial optimization. The idea is to define a network of "pipes" 
from basis states at an initial time to basis states at a final time, and then route as much 
probability mass as possible through these pipes. The capacity of each pipe depends on 
the corresponding entry of the unitary acting from the initial to final time. To find the 
probability of transitioning from basis state \i) to basis state \j), we then determine how 
much of the flow originating at \i) is routed along the pipe to \j). The main results are 
that J-T is well-defined and that it is robust to small perturbations. Since J-T trivially 
satisfies the indifference axiom, this implies that the indifference and robustness axioms can 
be satisfied simultaneously, which was not at all obvious a priori. 

Section [16.6.21 presents a second theory that I call the Schrodinger theory or ST, 
since it is based on a pair of integral equations introduced in a 1931 paper of Schrodinger 
|213j . Schrodinger conjectured, but was unable to prove, the existence and uniqueness of a 
solution to these equations; the problem was not settled until the work of Nagasawa |179j 
in the 1980's. In the discrete setting the problem is simpler, and I give a self-contained 
proof of existence using a matrix scaling technique due to Sinkhorn 22 fj. The idea is as 
follows: we want to convert a unitary matrix that maps one quantum state to another, into 
a nonnegative matrix whose i th column sums to the initial probability of basis state \i), and 
whose j th row sums to the final probability of basis state \j) . To do so, we first replace each 
entry of the unitary matrix by its absolute value, then normalize each column to sum to the 
desired initial probability, then normalize each row to sum to the desired final probability. 
But then the columns are no longer normalized correctly, so we normalize them again, then 
normalize the rows again, and so on. I show that this iterative process converges, from 
which it follows that ST is well-defined. I also observe that ST satisfies the indifference 
and product commutativity axioms, and violates the decomposition invariance axiom. I 
conjecture that ST satisfies the robustness axiom; proving that conjecture is one of the 
main open problems of the chapter. 

In Section ll6.7I I shift attention to the complexity of sampling histories. I formally 
define DQP as the class of problems solvable by a classical polynomial-time algorithm with 
access to a "history oracle." Given a sequence of quantum circuits as input, this oracle 
returns a sample from a corresponding distribution over histories of a hidden variable, 
according to some hidden-variable theory T. The oracle can choose T "adversarially," 
subject to the constraint that T satisfies the indifference and robustness axioms. Thus, 
a key result from Section 116.71 that I rely on is that there exists a hidden- variable theory 
satisfying indifference and robustness. 

Section 116.7.11 establishes the most basic facts about DQP: for example, that 
BQP C DQP, and that DQP is independent of the choice of gate set. Then Section 116.81 
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presents the "juggle subroutine," a crucial ingredient in both of the main hidden-variable 
algorithms. Given a state of the form (\a) + \b)) or (|a) — \b)) /y/2, the goal of this 
subroutine is to "juggle" a hidden variable between \a) and \b), so that when we inspect the 
hidden variable's history, both |a) and \b) are observed with high probability. The difficulty 
is that this needs to work under any indifferent hidden-variable theory. 

Next, Section fl6.9l combines the juggle subroutine with a technique of Valiant and 
Vazirani |231j to prove that SZK C DQP, from which it follows in particular that Graph 
Isomorphism and Approximate Shortest Vector are in DQP. Then Section I16.1UI applies 
the juggle subroutine to search an TV-item database in O (iV 1//3 ) queries, and also proves 
that this iV 1 / 3 bound is optimal. 

I conclude in Section fl6. Ill with some directions for further research. 



16.3 Hidden- Variable Theories 

Suppose we have an N x N unitary matrix U, acting on a state 

=a 1 \l) + --- + a N \N), 
where |1) , . . . , \N) is a standard orthogonal basis. Let 

U\^)=p 1 \l) + --- + f3 N \N). 
Then can we construct a stochastic matrix S, which maps the vector of probabilities 



P 



induced by measuring \ip), to the vector 



\ a i\ 



\Pi 



induced by measuring U Trivially yes. The following matrix maps any vector of 

probabilities to ~~q, ignoring the input vector ~p entirely: 



S-pr 



1/3. 



TV 



1/3. 



TV 



Here VT stands for product theory. The product theory corresponds to a strange picture 
of physical reality, in which memories and records are completely unreliable, there being no 
causal connection between states of affairs at earlier and later times. 

So we would like S to depend on U itself somehow, not just on and U\ip). 
Indeed, ideally S would be a function only of U, and not of \tp). But this is impossible, as 
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the following example shows. Let U be a 7r/4 rotation, and let |+) = (|0) + |1)) /\/2 and 
-\1))/V2. Then U | +) = 1 1) implies that 



5(1+), to 

whereas C|— ) = |0) implies that 

s(\-),u) 





1 1 



1 1 





On the other hand, it is easy to see that, if S can depend on \tp) as well as U, 
then there are infinitely many choices for the function S , U). Every choice reproduces 
the predictions of quantum mechanics perfectly when restricted to single-time probabilities. 
So how can we possibly choose among them? My approach in Sections I16.4I and I16.6I will 
be to write down axioms that we would like S to satisfy, and then investigate which of the 
axioms can be satisfied simultaneously. 

Formally, a hidden-variable theory is a family of functions {Sn} n>1 , where each 
SV maps an iV-dimensional mixed state p and an N x N unitary matrix U onto a singly 
stochastic matrix Sn(p,U). I will often suppress the dependence on N, p, and U, and 
occasionally use subscripts such as VT or TT to indicate the theory in question. Also, if 
p = \ip) (ip\ is a pure state I may write S (\ip) , U) instead of S , U). 

Let (M)^ denote the entry in the i th column and j th row of matrix M. Then (S)^ 
is the probability that the hidden variable takes value \j) after U is applied, conditioned 
on it taking value \i) before U is applied. At a minimum, any theory must satisfy the 
following marginalization axiom: for all j € {1, . . . , N}, 



E ( s h = ( u p u 



33 



This says that after U is applied, the hidden variable takes value \j) with probability 
(U pU -1 ^ . ., which is the usual Born probability. 

Often it will be convenient to refer, not to S itself, but to the matrix P (p, U) of 
joint probabilities whose (i,j) entry is (-P)ij = (^)ij (p)w r ^ ne * column of P must sum 
to and the j th row must sum to (U pU~ 1 ^ . .. Indeed, I will define the theories TT and 
ST by first specifying the matrix P, and then setting (S)- := (-P)j,- / (p)a- This approach 
has the drawback that if (p)^ = 0, then the i th column of S is undefined. To get around 
this, I adopt the convention that 

S(p,U) := lim S(p e ,U) 

where p e = (1 — e) p + el and I is the N x N maximally mixed state. Technically, the 
limits 



lim 



£ ^0+ (p £ ).. 

might not exist, but in the cases of interest it will be obvious that they do. 
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16.3.1 Comparison with Previous Work 

Before going further, I should contrast my approach with previous approaches to hidden 
variables, the most famous of which is Bohmian mechanics |59| . My main difficulty with 
Bohmian mechanics is that it commits itself to a Hilbert space of particle positions and 
momenta. Furthermore, it is crucial that the positions and momenta be continuous, in 
order for particles to evolve deterministically. To see this, let \L) and \R) be discrete 
positions, and suppose a particle is in state \L) at time to, and state (\L) + \R)) /y/2 at 
a later time t%. Then a hidden variable representing the position would have entropy 
at ti, since it is always \L) then; but entropy 1 at t\, since it is \L) or \R) both with 
1/2 probability. Therefore the earlier value cannot determine the later one. 3 It follows 
that Bohmian mechanics is incompatible with the belief that all physical observables are 
discrete. But in my view, there are strong reasons to hold that belief, which include black 
hole entropy bounds; the existence of a natural minimum length scale (10 -33 cm); results 
on area quantization in quantum gravity [2U5j : the fact that many physical quantities once 
thought to be continuous have turned out to be discrete; the infinities of quantum field 
theory; the implausibility of analog "hypercomputers" ; and conceptual problems raised by 
the independence of the continuum hypothesis. 

Of course there exist stochastic analogues of Bohmian mechanics, among them 
Nelsonian mechanics |181j and Bohm and Hiley's "stochastic interpretation" (HOI- But it is 
not obvious why we should prefer these to other stochastic hidden-variable theories. From 
a quantum-information perspective, it is much more natural to take an abstract approach — 
one that allows arbitrary finite-dimensional Hilbert spaces, and that does not rule out any 
transition rule a priori. 

Stochastic hidden variables have also been considered in the context of modal 
interpretations; see Dickson 96 , Bacciagaluppi and Dickson |39j . and Dieks |97| for example. 
However, the central assumptions in that work are extremely different from mine. In 
modal interpretations, a pure state evolving unitarily poses no problems at all: one simply 
rotates the hidden-variable basis along with the state, so that the state always represents 
a "possessed property" of the system in the current basis. Difficulties arise only for mixed 
states; and there, the goal is to track a whole set of possessed properties. By contrast, my 
approach is to fix an orthogonal basis, then track a single hidden variable that is an element 
of that basis. The issues raised by pure states and mixed states are essentially the same. 

Finally I should mention the consistent-histories interpretation of Griffiths |137j 
and Gell-Mann and Hartle |122j . This interpretation assigns probabilities to various his- 
tories through a quantum system, so long as the "interference" between those histories is 
negligible. Loosely speaking, then, the situations where consistent histories make sense are 
precisely the ones where the question of transition probabilities can be avoided. 

3 Put differently, Bohm's conservation of probability result breaks down because the "wavefunctions" at 
to and ti are degenerate, with all amplitude concentrated on finitely many points. But in a discrete Hilbert 
space, every wavefunction is degenerate in this sense! 
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16.3.2 Objections 

Hidden-variable theories, as I define them, are open to several technical objections. For 
example, I required transition probabilities for only one orthogonal observable. What 
about other observables? The problem is that, according to the Kochen-Specker theorem, 
we cannot assign consistent values to all observables at any single time, let alone give 
transition probabilities for those values. This is an issue in any setting, not just mine. The 
solution I prefer is to postulate a fixed orthogonal basis of "distinguishable experiences," 
and to interpret a measurement in any other basis as a unitary followed by a measurement 
in the fixed basis. As mentioned in Section modal interpretations opt for a different 
solution, which involves sets of bases that change over time with the state itself. 

Another objection is that the probability of transitioning from basis state \i) at 
time ti to basis state \ j) at time t% might depend on how finely we divide the time interval 
between t\ and £3- 111 other words, for some state \tp) and unitaries V, W, we might have 

S(\iP),WV)^S(V\i,),W)S(W),V) 

(a similar point was made by Gillespie [125 J. Indeed, this is true for any hidden- variable 
theory other than the product theory VT . To see this, observe that for all unitaries U and 
states \ip), there exist unitaries V, W such that U = WV and V \ip) = |1). Then applying 
V destroys all information in the hidden variable (that is, decreases its entropy to 0); so 
if we then apply W, then the variable's final value must be uncorrelated with the initial 
value. In other words, S (V \ tp) , W) S (\ip) , V) must equal S-pr , U). It follows that to 
any hidden-variable theory we must associate a time scale, or some other rule for deciding 
when the transitions take place. 

In response, it should be noted that exactly the same problem arises in continuous- 
time stochastic hidden- variable theories. For if a state is governed by the Schrodinger 
equation d\ip) jdt = iHt \tp), and a hidden variable's probability distribution p is governed 
by the stochastic equation dp /dr = A T p , then there is still an arbitrary parameter dr/dt 
on which the dynamics depend. 

Finally, it will be objected that I have ignored special relativity. In Section fl6.4l 
I will define a commutativity axiom, which informally requires that the stochastic matrix 
S not depend on the temporal order of spacelike separated events. Unfortunately, we will 
see that when entangled states are involved, commutativity is irreconcilable with another 
axiom that seems even more basic. The resulting nonlocality has the same character as the 
nonlocality of Bohmian mechanics — that is, one cannot use it to send superluminal signals 
in the usual sense, but it is unsettling nonetheless. 

16.4 Axioms for Hidden- Variable Theories 

I now state five axioms that we might like hidden-variable theories to satisfy. 

Indifference. The indifference axiom says that if U is block-diagonal, then S 
should also be block-diagonal with the same block structure or some refinement thereof. 
Formally, let a block be a subset B C {1, . . . , N} such that (U)^ = for all i £ B, j ^ B 
and i ^ B,j £ B. Then for all blocks B, we should have (5 1 )-- = for all i £ B,j ^ B and 
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i £ B,j £ B. In particular, indifference implies that given any state p in a tensor product 
space TLa <8> Hb, and any unitary U that acts only on Ha (that is, never maps a basis state 
\ia) ® to \ja) <8> where 15 / j'b), the stochastic matrix S (p, U) acts only on Ha as 
well. 

Robustness. A theory is robust if it is insensitive to small errors in a state or 
unitary (which, in particular, implies continuity). Suppose we obtain p and U by perturbing 
p and U respectively. Then for all polynomials p, there should exist a polynomial q such 
that for all N, 



P[p,U)-P(p,U) 



< 1 
00 ~ p(N) 



where II Ml 



max 



(M)i 



whenever 



U-U 



< l/q(N). 
fidden- variable theory 



Ip-pIL < l/q(N) and 
Robustness has an important advantage for quantum computing: if a ' 
is robust then the set of gates used to define the unitaries Ui, . . . , Ut is irrelevant, since by 
the Solovay-Kitaev Theorem (see |153( 1182] ) , any universal quantum gate set can simulate 
any other to a precision e with O (log c 1/e) overhead. 

Commutativity. Let pab be a bipartite state, and let Ua and Ub act only on 
subsystems A and B respectively. Then commutativity means that the order in which Ua 
and Ub are applied is irrelevant: 

S (UapabU^ 1 , U b ) S (pab, Ua) = S (UbpabU^ 1 , Ua) S (pab, U b ) ■ 

Product Commutativity. A theory is product commutative if it satisfies com- 
mutativity for all separable pure states \tp) = \iPa) ® \iPb)- 

Decomposition Invariance. A theory is decomposition invariant if 



N 



s( P ,u) = Y,Pism (h,u) 



for every decomposition 



i=i 



N 



1=1 



of p into pure states. Theorem ll38l part (ii) will show that the analogous axiom for P (p, U) 
is unsatisfiable. 



16.4.1 Comparing Theories 

To fix ideas, let us compare some hidden-variable theories with respect to the above axioms. 
We have already seen the product theory VT in Section [16.31 It is easy to show that VT 
satisfies robustness, commutativity, and decomposition invariance. However, I consider 
VT unsatisfactory because it violates indifference: even if a unitary U acts only on the first 
of two qubits, S-pj- (p, U) will readily produce transitions involving the second qubit. 

Recognizing this problem, Dieks [23 proposed an alternative theory that amounts 
to the following. 4 First partition the set of basis states into minimal blocks B±, ... , B m 

4 Dieks (personal communication) says he would no longer defend this theory. 
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VT (Product) 


DT (Dieks) 


TT (Flow) 


ST 


Indifference 


No 


Yes 


Yes 


Yes 


Robustness 


Yes 


No 


Yes 


? 


Commutativity 


Yes 


No 


No 


No 


Product Commutativity 


Yes 


Yes 


No 


Yes 


Decomposition Invariance 


Yes 


Yes 


No 


No 



Table 16.1: Four hidden-variable theories and the axioms they satisfy 

between which U never sends amplitude. Then apply the product theory separately to 
each block; that is, if i and j belong to the same block then set 

(UpU~ l ) .. 



and otherwise set (S)^ = 0. The resulting Dieks theory, DT, satisfies indifference by 
construction. However, it does not satisfy robustness (or even continuity), since the set of 
blocks can change if we replace '0' entries in U by arbitrarily small nonzero entries. 

In Section 116.61 1 will introduce two other hidden- variable theories, the flow theory 
TT and the Schrodinger theory ST. Table 16.1 lists which axioms the four theories satisfy. 

If we could prove that ST satisfies robustness, then Table 1 together with the 
impossibility results of Section fl6. 51 would completely characterize which of the axioms can 
be satisfied simultaneously. 

16.5 Impossibility Results 

This section shows that certain sets of axioms cannot be satisfied by any hidden-variable 
theory. I first show that the failure of DT, TT , and ST to satisfy commutativity is 
inherent, and not a fixable technical problem. 

Theorem 137 No hidden-variable theory satisfies both indifference and commutativity. 

Proof. Assume indifference holds, and let our initial state be \ip) = Jiij ■ 
Suppose Ua applies a ir/8 rotation to the first qubit, and Ub applies a —ir/8 rotation to 
the second qubit. Then 

U A \if>) = U B |V>) = i (cos ~ |00) - sin | |01) + sin | 1 10) + cos - |11) 

U A U B \f) = U B U A |V) = \ (1 00) - |01> + 1 10) + |11)) . 

Let vt be the value of the hidden variable after t unitaries have been applied. Let E be the 
event that = 1 00) initially, and V2 = 1 10) at the end. If Ua is applied before Ub-, then 
the unique 'path' from to v 2 consistent with indifference sets v\ = 1 10) . So 

1 TT 

Pr[E] < Pi[vt = 1 10)] = - sin 2 -. 

2 8 
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But if Ub is applied before Ua, then the probability that vq = |11) and V2 = |10) is at most 
^ sin 2 |, by the same reasoning. Thus, since v-i must equal [ 10) with probability 1/4, and 
since the only possibilities for vq are 1 00) and |11), 

„ rw, 1 1 9 71" 1 9 7T 

Pi\E}> sin z - > - suT -. 

L J - 4 2 8 2 8 

We conclude that commutativity is violated. ■ 

Let me remark on the relationship between Theorem 11371 and Bell's Theorem. 
Any hidden-variable theory that is "local" in Bell's sense would immediately satisfy both 
indifference and commutativity. However, the converse is not obvious, since there might 
be nonlocal information in the states Ua IV') or Ub |^)> which an indifferent commutative 
theory could exploit but a local one could not. Theorem 11371 rules out this possibility, and 
in that sense is a strengthening of Bell's Theorem. 

The next result places limits on decomposition invariance. 

Theorem 138 

(i) No theory satisfies indifference, robustness, and decomposition invariance. 
(ii) No theory has the property that 

N 



P(p,U)=J2PiP(Wi)&i\,U) 



i=l 



for every decomposition YliLiPi IV^) (V'il °f P- 
Proof. 

(i) Suppose the contrary. Let 

Rq 

\ife) = cos0|O) + sin0|i; 
Then for every 6 not a multiple of vr/2, we must have 

S(\ip- 9 ),Re) 

S {\<Pn/2-e) ,Re) 



cos v — sin ( 
sin 9 cos 9 



1 1 





1 1 



So by decomposition invariance, letting I = (|0) (0| + |1) (1|) /2 denote the maximally 
mixed state, 

S(I R B ) = S ( 1^-^ jgzf! + l^/ 2 - ) (^/2-e| Rg 





- 1 


1 " 




2 


2 


)- 


1 


1 




. 2 


2 . 
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and therefore 





OOgo 


toil ' 




" 1 


1 " 


P(I,Ro) = 


2 

Woo 
L 2 


2 

ton 

2 




. 4 


1 

4 . 



By robustness, this holds for = as well. But this is a contradiction, since by 
indifference P (J, i?o) must be half the identity. 



(ii) Suppose the contrary; then 



P(|0),i? 7r/8 )+P(|l), J R 7r/8 ) 



So considering transitions from |0) to |1), 

_ (P(|0),i? 7r/8 )) 11 + 0_ 1 . 2?r 



But 



[P (l,R v / 8 )) 



P (I, R^i 



01 



— sm — . 

2 8 



also. Since P^/g \<Pn/s) = \<Pn/4:)i we nave 



P(I,R^)) m >-(P(\^ /8 ),R,/s)) 



01 



1/1 o 7T 

> - - - sin 2 - 
~ 2 I 2 8 



1 • 2 
> - sm 

2 



7T 



which is a contradiction. 



Notice that all three conditions in Theorem ILS81 part (i) were essential — for VT 
satisfies robustness and decomposition invariance, T>T satisfies indifference and decomposi- 
tion invariance, and J-T satisfies indifference and robustness. 

The last impossibility result says that no hidden-variable theory satisfies both 
indifference and "strong continuity," in the sense that for all e > there exists 5 > such 
that \\p — p\\ < 5 implies \\S (p, U) — S (p, U)\\ < e. To see this, let 



U 

P 
P 



1 

o -4 -4, 







t 

V2 





1 

t 



Vl- 25 2 \0) +S\1) +S\2) 
y/l - 25 2 \0)+S\l) -5\2) 
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Figure 16.1: A network (weighted directed graph with source and sink) corresponding to 
the unitary U and state 



Then by indifference, 



S(p,U) 



1 

1 1 



S(p,U) 



1 
Oil 




This is the reason why I defined robustness in terms of the joint probabilities matrix P rather 
than the stochastic matrix S. On the other hand, note that by giving up indifference, one 
can satisfy strong continuity, as is shown by VT . 



16.6 Specific Theories 

This section presents two nontrivial examples of hidden-variable theories: the flow theory 
in Section fl6.6.1[ and the Schrodinger theory in Section fl6.6.2l 

16.6.1 Flow Theory 

The idea of the flow theory is to convert a unitary matrix into a weighted directed graph, 
and then route probability mass through that graph like oil through pipes. Given a unitary 
U, let 

" Pi 

_ P N 

where for the time being 

|V) =ai|l) + --- + ajv|iV), 
U\i;) =(3 1 \l) + --- + f3 N \N) 

are pure states. Then consider the network G shown in Figure lT6.ll We have a source vertex 
s, a sink vertex t, and N input and N output vertices labeled by basis states |1) , . . . , \ N). 



(C% 



(U) 



Nl 



(U) 



IN 



(CO 



NN 



Oil 



OtN 
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Each edge of the form (s, \i)) has capacity |aj| , each edge , \j)) has capacity (U)- 



and each edge , t) has capacity \/3j\ . A natural question is how much probability mass 
can flow from s to t without violating the capacity constraints. Rather surprisingly, I will 
show that one unit of mass (that is, all of it) can. Interestingly, this result would be false 



) instead of 



'J 



I will also 



rose networks, that 



if edge , \j)) had capacity (U)^ (or even (U)- 
show that there exists a mapping from networks to maximal flows in t: 
is robust in the sense that a small change in edge capacities produces only a small change 
in the amount of flow through any edge. 

The proofs of these theorems use classical results from the theory of network flows 
(see jHH] for an introduction). In particular, let a cut be a set of edges that separates s from 
t; the value of a cut is the sum of the capacities of its edges. Then a fundamental result 
called the Max- Flow- Min- Cut Theorem |lllj says that the maximum possible amount of 
flow from s to t equals the minimum value of any cut. Using that result I can show the 
following. 

Theorem 139 One unit of flow can be routed from s to t in G. 

Proof. By the above, it suffices to show that any cut C in G has value at least 1. 
Let A be the set of i £ {1, . . . , iV} such that (s, \i)) ^ C, and let B be the set of j such that 
(| j) ,t) ^ C. Then C must contain every edge (\i) , | j)) such that i £ A and j E B, and we 
can assume without loss of generality that C contains no other edges. So the value of C is 



£n 2 + I>i 2 + E K 



i^A j^B ieA, jGB 

Therefore we need to prove the matrix inequality 



ieA 



I \ jaB J ieA, jeB 



> 1, 



or 



(16.1) 



1+ E pM>Ei«*i 2 + Ei^i 2 - 

ieA, jeB ieA jeB 

Let U be fixed, and consider the maximum of the right-hand side of equation (|ldl|) over 
all jV')- Since 

0j = Y,( u k a i> 



this maximum is equal to the largest eigenvalue A of the positive semidefinite matrix 



where for each j, 



EN) (i\ + J2\ u o)( 

ieA jeB 



U.j 



u j ) = (U) lj \l) + --- + (U) Nj \N). 
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Let Ha be the subspace of states spanned by {\i) : i S A}, and let Hb be the subspace 
spanned by {\uj} : j £ B}. Also, let La (IV')) be the length of the projection of onto 
Ha, and let Lb be the length of the projection of \ip) onto Hb- Then since the |i)'s 
and |itj)'s form orthogonal bases for Ha and -f/# respectively, we have 



A = max X)IW>| 2 + EK^ 

= max(L A (|^) 2 + L B (|V)) 2 

So letting # be the angle between ii^ and ^b, 

A = 2 cos 2 - 
2 

= 1 + cos 9 

< 1 + max |(a|6)| 



1 + 



max 

l7i| 2 +-+l7iv| 2 =l 
|5i| 2 +-+|5iv| 2 =l 




ieA, jS-B 



which completes the theorem. ■ 

Observe that Theorem 11391 still holds if f7 acts on a mixed state p, since we 
can write p as a convex combination of pure states (tp\, construct a flow for each \ip) 
separately, and then take a convex combination of the flows. 

Using Theorem I139| I now define the flow theory J-T. Let F (p, U) be the set 
of maximal flows for p, U — representable by iV x N arrays of real numbers such that 

< fij < (U\j for all i,j, and also 
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Clearly F (p, U) is a convex polytope, which Theorem 11391 asserts is nonempty. Form a 
maximal flow /* (p, U) £ F (/?, U) as follows: first let be the maximum of fn over 
all / G F(p,U). Then let /* 2 be the maximum of /12 over all / S F(p,U) such that 
/n = Continue to loop through all i,j pairs in lexicographic order, setting each to 
its maximum possible value consistent with the (i — 1) N + j — 1 previous values. Finally, 
let (P)ij = f*j for all i, j. As discussed in Section 116.31 given P we can easily obtain the 
stochastic matrix S by dividing the i th column by (p)^, or taking a limit in case (p)-- = 0. 

It is easy to check that J-T so defined satisfies the indifference axiom. Showing 
that J-T satisfies robustness is harder. Our proof is based on the Ford-Fulkerson algorithm 
|lllj . a classic algorithm for computing maximal flows that works by finding a sequence of 
"augmenting paths," each of which increases the flow from s to t by some positive amount. 
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Theorem 140 JFT satisfies robustness. 



Proof. Let G be an arbitrary flow network with source s, sink t, and directed 
edges ei, . . . , e m , where each a has capacity q and leads from v\ to W{. It will be convenient 
to introduce a fictitious edge eo from t to s with unlimited capacity; then maximizing the 
flow through G is equivalent to maximizing the flow through eo- Suppose we produce a 
new network G by increasing a single capacity Cj* by some e > 0. Let /* be the optimal 
flow for G, obtained by first maximizing the flow fo through eo, then maximizing the flow 
/i through ei holding /q fixed, and so on up to f m . Let /* be the maximal flow for G 
produced in the same way. We claim that for alH G {0, . . . , m}, 



ft' ft 



< e. 



To see that the theorem follows from this claim: first, if /* is robust under adding e to 
Cj* , then it must also be robust under subtracting e from . Second, if we change p, U 



to p, U such that \\p — pW^ < 1/q (N) and 



U-U 



< 1/q (TV), then we can imagine the 



iV 2 + 2N edge capacities are changed one by one, so that 



fip,u)-r (p,u) 



< 



E 



U 



u 



+ £l(p)«-(p)i 



< 



AN 1 
qjN~Y 



(Here we have made no attempt to optimize the bound.) 

We now prove the claim. To do so we describe an iterative algorithm for computing 
/* . First maximize the flow fo through eo , by using the Ford-Fulkerson algorithm to find 
a maximal flow from s to t. Let /(°) be the resulting flow, and let G^ be the residual 
network that corresponds to f^°\ For each i, that is, G^ has an edge e^ = (vi,Wi) of 
capacity c'p = Ci — f^°\ and an edge e^ = (wi,Vi) of capacity ~cp = ff\ Next maximize 
/i subject to fo by using the Ford-Fulkerson algorithm to find "augmenting cycles" from 
w\ to vi and back to w\ in G^ \ {eo, eo}. Continue in this manner until each of /i, . . . , f m 
has been maximized subject to the previous /j's. Finally set /* = f( m \ 

Now, one way to compute /* is to start with /*, then repeatedly "correct" it 
by applying the same iterative algorithm to maximize fo, then /i, and so on. Let £j = 
f* — f* ; then we need to show that £j < e for alH € {0, ... , m}. The proof is by induction 
on i. Clearly £o < £, since increasing Cj* by £ can increase the value of the minimum cut 
from s to t by at most e. Likewise, after we maximize fo, the value of the minimum cut 
from wi to v\ can increase by at most e — £o + £o = £• For of the at most £ new units of flow 
from u>i to f i that increasing q* made available, £o of them were "taken up" in maximizing 
fo, but the process of maximizing fo could have again increased the minimum cut from w\ 
to v\ by up to £q. Continuing in this way, 



£2 < £ — £q + £o — £ 1 + £ 1 — e , 
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and so on up to e m . This completes the proof. ■ 

That J-T violates decomposition invariance now follows from Theorem 11381 part 
(i). One can also show that TT violates product commutativity, by considering the fol- 
lowing example: let \ip) = | ^71-/4) ® I'P—n/s) ^ e a 2-qubit initial state, and let R^u and R^u 
be 7r/4 rotations applied to the first and second qubits respectively. Then 

s (b* /a |V) , < 4 ) s (1 V) , R* /4 ) + S (i?f /4 |V) , < 4 ) s (iv) , fl* /4 ) • 

We omit a proof for brevity. 



16.6.2 Schrodinger Theory 

The final hidden-variable theory, which I call the Schrodinger theory or ST, is the most 
interesting one mathematically. The idea — to make a matrix into a stochastic matrix via 
row and column rescaling — is natural enough that we came upon it independently, only later 
learning that it originated in a 1931 paper of Schrodinger 213 j. The idea was subsequently 
developed by Fortet |112j . Beurling (SHj, Nagasawa j!79j . and others. My goal is to give 
what (to my knowledge) is the first self-contained, reasonably accessible presentation of the 
main result in this area; and to interpret that result in what I think is the correct way: as 
providing one example of a hidden- variable theory, whose strengths and weaknesses should 
be directly compared to those of other theories. 

Most of the technical difficulties in [HE1 1112| I179| 1213] arise because the stochastic 
process being constructed involves continuous time and particle positions. Here I eliminate 
those difficulties by restricting attention to discrete time and finite-dimensional Hilbert 
spaces. I thereby obtain a generalized version 5 of a problem that computer scientists know 
as (r, c) -scaling of matrices |221l 11181 1167j . 

As in the case of the flow theory, given a unitary U acting on a state p, the first 
step is to replace each entry of U by its absolute value, obtaining a nonnegative matrix 
defined by (L^ **)^. := (U)^ . We then wish to find nonnegative column multipliers 
oti, . . . , on and row multipliers f3±, . . . , (3n such that for all 

HPi (V (0) ) ,+••• + a t f3 N (U®) = (p) u , (16.2) 
& + - + (u®) Nj = {U P U-^) 3J . (16.3) 



a; 



If we like, we can interpret the c^'s and /3,-'s as dynamical variables that reach equilibrium 

precisely when equations (|16.2|) and (|16.3|) are satisfied. Admittedly, it might be thought 

physically implausible that such a complicated dynamical process should take place at every 

instant of time. On the other hand, it is hard to imagine a more "benign" way to convert 
C/(o) 

into a joint probabilities matrix, than by simply rescaling its rows and columns. 

I will show that multipliers satisfying (|16.2j) and (|16.3|) always exist. The intuition 
of a dynamical process reaching equilibrium turns out to be key to the proof. For alH > 0, 

5 In (r, c)-scaling, we are given an invertible real matrix, and the goal is to rescale all rows and columns 
to sum to 1. The generalized version is to rescale the rows and columns to given values (not necessarily 1). 
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let 



In words, we obtain [/( 2 * +1 ) by normalizing each column i of to sum to (p);/, likewise 
we obtain U^ 2t+2 ' by normalizing each row j of C/( 2 * +1 ) to sum to (U pU 1 ) . .. The crucial 

fact is that the above process always converges to some can 
therefore take 





for all Although I will not prove it here, it turns out that this yields the unique solution 
to equations ()16.2j) and (|16.3j) . up to a global rescaling of the form a« — > ce^c for all i and 
13 j -> fy/c for all j [T73] . 

The convergence proof will reuse a result about network flows from Section 116.6.11 
in order to define a nondecreasing "progress measure" based on Kullback-Leibler distance. 

Theorem 141 The limit P (p, U) = lim^oo U® exists. 

Proof. A consequence of Theorem llci9l is that for every p, U, there exists aniVxJV 
array of nonnegative real numbers /j,- such that 



where we adopt the convention 0° = 1. We claim that Z( t+1 ) > Z® for all t > 1. To 
see this, assume without loss of generality that we are on an odd step 2t + 1, and let 



(1) f i:j = whenever (*7) y = 0, 

(2) fa H V fiN = (p)u for all i, and 

(3) fij + — + f Nj = {UpU- 1 ) for all j. 



Given any such array, define a progress measure 




fi 
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Q = Ej (# (2t) ) f ■ be the i th column sum before we normalize it. Then 




As a result of the 2t normalization step, we had Ej W — 1- Subject to that constraint, 
the maximum of 

nKT" 

i 

over the cf >'s occurs when = (p) u for all i — a simple calculus fact that follows 

from the nonnegativity of Kullback-Leibler distance. This implies that Z^ 2t+1 ' > Z^ 2t \ 
Similarly, normalizing rows leads to Z( 2i + 2 ) > Z( 2t+1 \ 

It follows that the limit P (p, U) = Ymxt-^oo exists. For suppose not; then some 
cf is bounded away from (p) u , so there exists an e > such that Z^ t+1 ^ > (1 + e) Z® for 
all even t. But this is a contradiction, since Z<°) > and < 1 for all t. m 

Besides showing that P (p, U) is well-defined, Theorem 1141 1 also yields a procedure 
to calculate P (p,U) (as well as the ai's and /3j's). It can be shown that this procedure 
converges to within entrywise error e after a number steps polynomial in N and 1/e. Also, 
once we have P(p,U), the stochastic matrix S (p,U) is readily obtained by normalizing 
each column of P(p,U) to sum to 1. This completes the definition of the Schrodinger 
theory ST. 

It is immediate that ST satisfies indifference. Also: 

Proposition 142 ST satisfies product commutativity. 

Proof. Given a state = \ipA) ®\iPb), let Ua®I act only on \^a) and let I®Ub 
act only on \iPb)- Then we claim that 

S (|^) ,U A ® I) = S (\^ A ) ,U A ) ® I. 

The reason is simply that multiplying all amplitudes in \i/ja) and Ua by a constant 
factor a x , as we do for each basis state \x) of \iPb), has no effect on the scaling procedure 
that produces S (\ipA) , Ua)- Similarly 

S(\iIj),I®Ub) = I®S(\iI>b),Ub). 
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It follows that 

S (|Vu) ,U A )®S (IVb) ,U b ) = S (U a \ip A ) ® \iI>b) ,I®U b )S ,U a ®I) 

= S (|^) (8 E/ B |^ B > ,U A ®I)S (|V> ,I®U B ). 

u 

On the other hand, numerical simulations readily show that 5T violates decom- 
position invariance, even when N = 2 (J omit a concrete example for brevity). 

16.7 The Computational Model 

I now explain the histories model of computation, building up to the complexity class DQP. 
From now on, the states p that we consider will always be pure states of £ = log 2 N qubits. 
That is, p = (ip\ where 

iv>> = ^2 ax \ x ) • 

x£{0,l} e 

The algorithms of this chapter will work under any hidden-variable theory that 
satisfies the indifference axiom. On the other hand, if we take into account that even in 
theory (let alone in practice), a generic unitary cannot be represented exactly with a finite 
universal gate set, only approximated arbitrarily well, then we also need the robustness 
axiom. Thus, it is reassuring that there exists a hidden-variable theory (namely J-T) that 
satisfies both indifference and robustness. 

Let a quantum computer have the initial state |0)® , and suppose we apply a 
sequence U = {U\, . . . , Ut) of unitary operations, each of which is implemented by a 
polynomial-size quantum circuit. Then a history of a hidden variable through the com- 
putation is a sequence H = (vo, . . . ,vr) of basis states, where vt is the variable's value 
immediately after Ut is applied (thus vq = |0)® ). Given any hidden-variable theory T, we 
can obtain a probability distribution Q, (U,T) over histories by just applying T repeatedly, 
once for each Ut, to obtain the stochastic matrices 

s(|o>^,iq), s (ux\of e ,u 2 ) , ... s(u T „ 1 ---u 1 \of i ,u T ). 

Note that f2 (U, T) is a Markov distribution; that is, each vt is independent of the other v^s 
conditioned on v t -\ and vt+\. Admittedly, Q(U,T) could depend on the precise way in 
which the combined circuit Ut ■ • • U\ is "sliced" into component circuits U\, . . . , Ut- But 
as noted in Section 116.3.21 such dependence on the granularity of unitaries is unavoidable 
in any hidden-variable theory other than VT . 

Given a hidden-variable theory T , let O (T) be an oracle that takes as input a 
positive integer £, and a sequence of quantum circuits U = (U\, . . . , Ut) that act on £ qubits. 
Here each Ut is specified by a sequence (gt,i, ■ ■ ■ ,9t,m(t)) °f gates chosen from some finite 
universal gate set Q. The oracle O (T) returns as output a sample (vq, . . . ,vt) from the 
history distribution £l(U,T) defined previously. Now let A be a deterministic classical 
Turing machine that is given oracle access to O (T). The machine A receives an input x, 
makes a single oracle query to O (T), then produces an output based on the response. We 
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say a set of strings L is in DQP if there exists an A such that for all sufficiently large n and 
inputs x G {0, l} n , and all theories T satisfying the indifference and robustness axioms, A 
correctly decides whether x G L with probability at least 2/3, in time polynomial in n. 

Let me make some remarks about the above definition. There is no real signifi- 
cance in the requirement that A be deterministic and classical, and that it be allowed only 
one query to O (T). I made this choice only because it suffices for the upper bounds; it 
might be interesting to consider the effects of other choices. However, other aspects of the 
definition are not arbitrary. The order of quantifiers matters; we want a single A that works 
for any hidden-variable theory satisfying indifference and robustness. Also, we require A 
to succeed only for sufficiently large n since by choosing a large enough polynomial q (N) 
in the statement of the robustness axiom, an adversary might easily make A incorrect on a 
finite number of instances. 



16.7.1 Basic Results 

Having defined the complexity class DQP, in this subsection I establish its most basic 
properties. First of all, it is immediate that BQP C DQP; that is, sampling histories is at 
least as powerful as standard quantum computation. For v\, the first hidden- variable value 
returned by O (T), can be seen as simply the result of applying a polynomial-size quantum 
circuit U\ to the initial state |0)® and then measuring in the standard basis. A key further 
observation is the following. 

Theorem 143 Any universal gate set yields the same complexity class DQP. By universal, 
we mean that any unitary matrix (real or complex) can be approximated, without the need 
for ancilla qubits. 

Proof. Let Q and Q' be universal gate sets. Also, let U = {U\,...,Ut) be a 
sequence of ^-qubit unitaries, each specified by a polynomial-size quantum circuit over Q. 
We have T,£ = O (poly (n)) where n is the input length. We can also assume without loss 
of generality that I > n, since otherwise we simply insert n — £ dummy qubits that are never 
acted on (by the indifference axiom, this will not affect the results). We want to approximate 
U by another sequence of ^-qubit unitaries, U' = (U[, . . . , U' T ), where each U' t is specified 
by a quantum circuit over Q'. In particular, for all t we want \\U[ — Ut\\ < 2~^ T . By 
the Solovay-Kitaev Theorem [1531 1182] . we can achieve this using poly (n,^ 2 T) = poly (re) 
gates from Q'; moreover, the circuit for U' t can be constructed in polynomial time given the 
circuit for Ut- 

Let |^t) = U t ■••Ui |0)® £ and |$) = U' t ■ ■ ■ U[ |0)® £ . Notice that for all t G 
{1,...,T}, 

lll^>-l^)|L<^(|||v^ 1 >-i^-i)L + 2-^) 

( 2 -^) 



<T2 eT [T i T \ =T2~ e ^ T , 



since |||V ! o) — l^o)!^ = 0. Here || || denotes the maximum entry wise difference between 

t 



two vectors in C 2 ' . Also, given a theory T, let Pt and P[ be the joint probabilities matrices 
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corresponding to Ut and U' t respectively. Then by the robustness axiom, there exists 
a polynomial q such that if WU^-UtW^ < l/q[2 e ) and || - \1pt-1) L < l/«(2 £ ), 

then ll-f* — -P/Hoo < 2~ 3 ^. For all such polynomials q, we have 2~ {2 ' T < l/q(2^ and 
T2 -£(£-i)T < ( 2 £ ) for sufficiently large n < t. Therefore \\P t - P/H^ < 2~ 3 ^ for all t 
and sufficiently large n. 

Now assume n is sufficiently large, and consider the distributions Q(U,T) and 
(Z/, T) over classical histories H = (vq, . . . , vy). For all t G {1, . . . , T} and x G {0, 1} £ , 
we have 

< 2^ (2-^) = 2- 2e . 

It follows by the union bound that the variation distance ||f2 (W , T) — £1 (U, T)\\ is at most 

T2 £ (2- 2e )=^<—. 
V / 2 e - 2 n 

In other words, £1 (W , T) can be distinguished from T) with bias at most T/2 n , which 
is exponentially small. So any classical postprocessing algorithm that succeeds with high 
probability given H G fL(U,T), also succeeds with high probability given H G £l(p(',T). 
This completes the theorem. ■ 

Unfortunately, the best upper bound on DQP I have been able to show is DQP C 
EXP; that is, any problem in DQP is solvable in deterministic exponential time. The proof 
is trivial: let T be the flow theory Tt . Then by using the Ford-Fulkerson algorithm, we can 
clearly construct the requisite maximum flows in time polynomial in 2^ (hence exponential 
in n), and thereby calculate the probability of each possible history (v\, . . . , vt) to suitable 
precision. 

16.8 The Juggle Subroutine 

This section presents a crucial subroutine that will be used in both main algorithms: the 
algorithm for simulating statistical zero knowledge in Section 116.91 and the algorithm for 
search in iV 1 / 3 queries in Section fl6. 101 Given an £-qubit state (|a) + \ b)) /s/2, where \a) 
and I b) are unknown basis states, the goal of the juggle subroutine is to learn both a and 
b. The name arises because the strategy will be to "juggle" a hidden variable, so that if 
it starts out at \a) then with non- negligible probability it transitions to and vice versa. 
Inspecting the entire history of the hidden variable will then reveal both o and b, as desired. 

To produce this behavior, we will exploit a basic feature of quantum mechanics: 
that observable information in one basis can become unobservable phase information in a 
different basis. We will apply a sequence of unitaries that hide all information about a and 
b in phases, thereby forcing the hidden variable to "forget" whether it started at \a) or \b). 
We will then invert those unitaries to return the state to (|a) + |6)) /\/2, at which point the 
hidden variable, having "forgotten" its initial value, must be unequal to that value with 
probability 1/2. 

I now give the subroutine. Let = (\a) + j\[2 be the initial state. The 
first unitary, U\, consists of Hadamard gates on i — 1 qubits chosen uniformly at random, 
and the identity operation on the remaining qubit, i. Next U2 consists of a Hadamard gate 



Pr [v t 
n(u,T) 



\x)j 



Pr 



V t 



l*>] 
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on qubit i. Finally U3 consists of Hadamard gates on all £ qubits. Let a = a± . . . an and 
b = b\ . . . 6g. Then since a 7^ b, we have en 7^ bi with probability at least l/£. Assuming 
that occurs, the state 

uim = ^ r A E {-ir z - a ^\z)+ E {-if z - b ^\ Z ) 

\ze{0,l} £ : Zi=<H ze{0,l} e : Zi=h 

assigns nonzero amplitude to all 2 £ basis states. Then U2U1 assigns nonzero amplitude 
to 2 £_1 basis states \z), namely those for which a-z = b-z (mod 2). Finally U3U2U1 \ip) = \ip). 

Let vt be the value of the hidden variable after Ut is applied. Then assuming 
Oj 7^ 6j, I claim that V3 is independent of vq. So in particular, if Vq = \a) then v% = \b) with 
1/2 probability, and if vq = \b) then V3 = \a) with 1/2 probability. To see this, observe 
that when U\ is applied, there is no interference between basis states \z) such that = a^, 
and those such that Zi = bi. So by the indifference axiom, the probability mass at \a) must 
spread out evenly among all 2^ _1 basis states that agree with a on the i th bit, and similarly 
for the probability mass at |6). Then after U2 is applied, V2 can differ from v\ only on the i th 
bit, again by the indifference axiom. So each basis state of U2U1 \ip) must receive an equal 
contribution from probability mass originating at |a), and probability mass originating at 
I b). Therefore V2 is independent of vq, from which it follows that i>3 is independent of i>o 
as well. 

Unfortunately, the juggle subroutine only works with probability 1/ (2£) — for it 
requires that en 7^ 6j, and even then, inspecting the history (vo, v\, . . .) only reveals both 
\a) and |6) with probability 1/2. Furthermore, the definition of DQP does not allow more 
than one call to the history oracle. However, all we need to do is pack multiple subroutine 
calls into a single oracle call. That is, choose U4 similarly to U\ (except with a different 
value of i), and set U$ = U2 and Uq = U3. Do the same with Uj, Us, and Ug, and so 
on. Since C/3, Uq, Uq, ... all return the quantum state to |V>), the effect is that of multiple 
independent juggle attempts. With 2£ 2 attempts, we can make the failure probability at 
most (l-l/(2£)) 2e ' 2 <e~ e . 

As a final remark, it is easy to see that the juggle subroutine works equally well 
with states of the form \tp) = (\a) — \b}) j\[2. This will prove useful in Section H6.1UI 

16.9 Simulating SZK 

This section shows that SZK C DQP. Here SZK, or Statistical Zero Knowledge, was 
originally defined as the class of problems that possess a certain kind of "zero-knowledge 
proof protocol" — that is, a protocol between an omniscient prover and a verifier, by which 
the verifier becomes convinced of the answer to a problem, yet without learning anything 
else about the problem. However, for present purposes this cryptographic definition of 
SZK is irrelevant. For Sahai and Vadhan |2U9j have given an alternate and much simpler 
characterization: a problem is in SZK if and only if it can be reduced to a problem called 
Statistical Difference, which involves deciding whether two probability distributions are 
close or far. 
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More formally, let Po anci Pi be functions that map n-bit strings to q (n)-bit strings 
for some polynomial q, and that are specified by classical polynomial-time algorithms. Let 
Ao and Ai be the probability distributions over Pq (x) and Pi (x) respectively, if x G {0, l} n 
is chosen uniformly at random. Then the problem is to decide whether ||Ao — Ai|| is less 
than 1/3 or greater than 2/3, given that one of these is the case. Here 



lAn-Ail' ' 



2 £ 

ye{0,l} q{n) 



Pr [P (x)=y]- Pr [P 1 (x)=y] 
xe{o,i} xe{o,i} 



is the variation distance between Ao and Ai. 

To illustrate, let us see why Graph Isomorphism is in SZK. Given two graphs 
Go and Gi, take Ao to be the uniform distribution over all permutations of Go, and Ai to 
be uniform over all permutations of G\. This way, if Go and Gi are isomorphic, then Ao 
and Ai will be identical, so ||Ao — Ai|| = 0. On the other hand, if Go and Gi are non- 
isomorphic, then Ao and Ai will be perfectly distinguishable, so ||Ao — Ai|| = 1. Since Ao 
and Ai are clearly samplable by polynomial-time algorithms, it follows that any instance 
of Graph Isomorphism can be expressed as an instance of Statistical Difference. For a 
proof that Approximate Shortest Vector is in SZK, the reader is referred to Goldreich and 
Goldwasser 129 (see also Aharonov and Ta-Shma |23j). 

The proof will use the following "amplification lemma" from [2f 



Lemma 144 (Sahai and Vadhan) Given efficiently- samplable distributions Ao and Ai, 
we can construct new efficiently- samplable distributions A' and A^, such that i/[|Ao — Ai|| < 
1/3 then \\A' - A[\\ < 2~ n , while if ||A - AJ > 2/3 then \\A' - A'J > 1 - 2~ n . 

In particular, Lemma 11441 means we can assume without loss of generality that 
either ||Ao — Ai|| < 2~ n " or ||Ao — Ai|| > 1 — 2~'™ c for some constant c > 0. 

Having covered the necessary facts about SZK, we can now proceed to the main 

result. 

Theorem 145 SZK C DQP. 

Proof. We show how to solve Statistical Difference by using a history oracle. For 
simplicity, we start with the special case where Pq and P\ are both one-to-one functions. 
In this case, the circuit sequence U given to the history oracle does the following: it first 
prepares the state 

E \<>)\*)M*))- 

be{o,i},xe{o,i} n 

It then applies the juggle subroutine to the joint state of the \b) and \x) registers, taking 
£ = n+ 1. Notice that by the indifference axiom, the hidden variable will never transition 
from one value of Pb (x) to another — exactly as if we had measured the third register in the 
standard basis. All that matters is the reduced state of the first two registers, which 

6 Note that in this lemma, the constants 1/3 and 2/3 are not arbitrary; it is important for technical 
reasons that (2/3) 2 > 1/3. 
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has the form (|0) |xo) + |1) |^i}) /V% for some xq,x\ if ||Ao — Ai|| = 0, and \b) \x) for some 
b, x if || Ao — Ai|| = 1. We have already seen that the juggle subroutine can distinguish 
these two cases: when the hidden-variable history is inspected, it will contain two values of 
the | b) register in the former case, and only one value in the latter case. Also, clearly the 
case || Aq — Ai|| < 2 _nC is statistically indistinguishable from ||Aq — Ai|| =0 with respect to 
the subroutine, and likewise ||Ao — Ai|| > 1 — 2~ nC is indistinguishable from ||Ao — Ai|| = 1. 

We now consider the general case, where Pq and Pi need not be one-to-one. Our 
strategy is to reduce to the one-to-one case, by using a well-known hashing technique of 
Valiant and Vazirani |231j . Let T> n ^ be the uniform distribution over all affine functions 
mapping {0,1}™ to {0, l} fc , where we identify those sets with the finite fields F2 and ~¥\ 
respectively. What Valiant and Vazirani showed is that, for all subsets A C {0, l} n such 
that 2 fc ~ 2 < \A\ < 2 fc -\ and all s G {0, l} fc , 



Pr [\Ar\hT l (s)\ 



1 

> -. 



As a corollary, the expectation over h G T> n ^ of 

{s G {0,l} k : lAnh- 1 ^)] = l} 
is at least 2 fc /8. It follows that, if x is drawn uniformly at random from A, then 

Pr \\A n h- 1 (h (x))\ = ll > H_Z? > -• 

h,x u 1 J |A| 4 

This immediately suggests the following algorithm for the many-to-one case. Draw k 
uniformly at random from {2, . . . , n + 1}; then draw ho, hi G f n fe- Have IA prepare the 
state 

\b)\x)\P b (x))\h b (x)), 

fe6{o,i},xe{o,i} n 

and then apply the juggle subroutine to the joint state of the \b) and \x) registers, ignoring 
the |Pfe (x)} and \h{, (x)) registers as before. 

Suppose || Ao — Ai|| = 0. Also, given x G {0, l} n and i G {0,1}, let Ai = 
Pr 1 (p (x)) and Hi = hr 1 (hi (x)), and suppose 2 k ~ 2 < \A \ = \Ai\ < 2 k ~ 1 . Then 

p2 



Pr [\A nH \ = lA\A 1 nH 1 \ = l}> - , 
s,h M \4y 

since the events \Aq Pi Pol = 1 an d l-^i H Pi| = 1 are independent of each other conditioned 
on x. Assuming both events occur, as before the juggle subroutine will reveal both |0) \xo) 
and |1) \xi) with high probability, where xq and x\ are the unique elements of Aq n Po 
and Ai D Pi respectively. By contrast, if || Ao — Ai 1 1 = 1 then only one value of the |6) 
register will ever be observed. Again, replacing ||Ao — Ai 1 1 = by ||Ao — Ai|| < 2~™ c , and 
|| Ao — Ai || = 1 by || Ao — Ai 1 1 > 1 — 2 _ ™ c , can have only a negligible effect on the history 
distribution. 
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Of course, the probability that the correct value of k is chosen, and that Aq n Hq 
and A\ n H\ both have a unique element, could be as low as 1/ (16n). To deal with this, 
we simply increase the number of calls to the juggle subroutine by an O (n) factor, drawing 
new values of k,ho,hi for each call. We pack multiple subroutine calls into a single oracle 
call as described in Section fl(i.81 except that now we uncompute the entire state (returning 
it to 1 • • • 0) ) and then recompute it between subroutine calls. A final remark: since the 
algorithm that calls the history oracle is deterministic, we "draw" new values of k, ho, hi by 
having IA prepare a uniform superposition over all possible values. The indifference axiom 
justifies this procedure, by guaranteeing that within each call to the juggle subroutine, the 
hidden-variable values of k, ho, and hi remain constant. ■ 

Recall from Chapter El that there exists an oracle A relative to which SZK A 
BQP A . By contrast, since Theorem 11451 is easily seen to relativize, we have SZK A e DQP A 
for all oracles A. It follows that there exists an oracle A relative to which BQP" 4 ^ DQP A . 

16.10 Search in N 1 ^ 3 Queries 

Given a Boolean function / : {0, 1}" — > {0, 1}, the database search problem is simply to 
find a string x such that f (x) = 1. We can assume without loss of generality that this 
"marked item" x is unique. 7 We want to find it using as few queries to / as possible, where 
a query returns / (y) given y. 

Let N = 2 n . Then classically, of course, G (N) queries are necessary and sufficient. 
By querying / in superposition, Grover's algorithm 139 finds x using queries, 
together with O (iV 1 / 2 ) auxiliary computation steps (here the O hides a factor of the form 
(log N) c ). Bennett et al. jSJ showed that any quantum algorithm needs f2 (iV 1 / 2 ) queries. 

In this section, I show how to find the marked item by sampling histories, using 
only O (N 1 / 3 ) queries and O (iV 1 / 3 ) computation steps. Formally, the model is as follows. 
Each of the quantum circuits Ui, . . . , Ut that algorithm A gives to the history oracle O (T) 
is now able to query /. Suppose Ut makes qt queries to /; then the total number of queries 
made by A is defined to be Q = qi + ■ ■ ■ + qr- The total number of computation steps is 
at least the number of steps required to write down Ui, . . . , Ut, but could be greater. 

Theorem 146 In the DQP model, we can search a database of N items for a unique marked 
item using O (iV 1 / 3 ) queries and O (iV 1 / 3 ) computation steps. 

Proof. Assume without loss of generality that N = 2 n with n|3, and that each 
database item is labeled by an n-bit string. Let x E {0, l} n be the label of the unique 
marked item. Then the sequence of quantum circuits IA does the following: it first runs 
O (2 n / 3 ) iterations of Grover's algorithm, in order to produce the n-qubit state a \x) + 

Pi2 y e{o,i} n ly>> where 

01 = \Z 2 «/3 + 2-n/3+l + 1' 

P = 2" n / 3 a 

7 For if there are multiple marked items, then we can reduce to the unique marked item case by using the 
Valiant- Vazirani hashing technique described in Theorem 11451 
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(one can check that this state is normalized). Next U applies Hadamard gates to the first 
n/3 qubits. This yields the state 

2" n / 6 a Yl (-l) XA ' V \y)\x B ) + 2 n/(i f3 Y |O) 0n/3 N) 5 
ye{0,i} n/3 ze{0,i} 2n/3 

where xa consists of the first n/3 bits of x, and xb consists of the remaining 2n/3 bits. Let 
Y be the set of 2 n / 3 basis states of the form \y) \xb), and Z be the set of 2 2n / 3 basis states 
of the form |0)® n/3 |z). 

Notice that 2~ n / 6 a = 2 n / 6 /?. So with the sole exception of |O) 0n/3 \x B ) (which 
belongs to both Y and Z), the "marked" basis states in Y have the same amplitude as the 
"unmarked" basis states in Z. This is what we wanted. Notice also that, if we manage to 
find any \y) \xb) € Y, then we can find x itself using 2 n / 3 further classical queries: simply 
test all possible strings that end in xb- Thus, the goal of our algorithm will be to cause the 
hidden variable to visit an element of Y, so that inspecting the variable's history reveals 
that element. 

As in Theorem 11451 the tools that we need are the juggle subroutine, and a way 
of reducing many basis states to two. Let s be drawn uniformly at random from {0, l} n ^ 3 . 
Then U appends a third register to the state, and sets it equal to \z) if the first two registers 
have the form |0)® n//3 \z), or to \s,y) if they have the form \y) \xb)- Disregarding the basis 
state |0) (g,n/ ' 3 \xb) for convenience, the result is 

lf A -y\y)\x B )\s,y)+ Y W m/3 \ z 
ze{o,i} 2n/3 

Next U applies the juggle subroutine to the joint state of the first two registers. Suppose 
the hidden-variable value has the form |0)® ra / 3 \ z) \ z) (that is, lies outside Y). Then with 
probability 2 _n / 3 over s, the first n/3 bits of z are equal to s. Suppose this event occurs. 
Then conditioned on the third register being \z), the reduced state of the first two registers 
is 

{-\) XA - ZB \z B ) \x B ) + \U)® npi \z) 

where zb consists of the last n/3 bits of z. So it follows from Section 116.81 that with 
probability £1 (1/n), the juggle subroutine will cause the hidden variable to transition from 
|0)® n/3 \z) to \zb) \xb)i and hence from Z to Y. 

The algorithm calls the juggle subroutine (2 n / 3 n) = (iV 1//3 log N) times, draw- 
ing a new value of s and recomputing the third register after each call. Each call moves 
the hidden variable from Z to Y with independent probability f2 (2 _?1//3 /n); therefore with 
high probability some call does so. Note that this juggling phase does not involve any 
database queries. Also, as in Theorem 11451 "drawing" s really means preparing a uniform 
superposition over all possible s. Finally, the probability that the hidden variable ever vis- 
its the basis state |0)® n//3 \xb) is exponentially small (by the union bound), which justifies 
our having disregarded it. ■ 
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A curious feature of Theorem ll46l is the tradeoff between queries and computation 
steps. Suppose we had run Q iterations of Grover's algorithm, or in other words made Q 
queries to /. Then provided Q < V~N, the marked state \x) would have occurred with 
probability $1 (Q 2 /N\ meaning that O (iV/Q 2 ) calls to the juggle subroutine would have 
been sufficient to find x. Of course, the choice of Q that minimizes max {Q, N/Q 2 } is 
Q = iV 1 / 3 . On the other hand, had we been willing to spend O (N) computation steps, we 
could have found x with only a single query! 8 Thus, one might wonder whether some other 
algorithm could push the number of queries below iV 1 / 3 , without simultaneously increasing 
the number of computation steps. The following theorem rules out that possibility. 

Theorem 147 In the DQP model, Q (iV 1 / 3 ) computation steps are needed to search an N- 
item database for a unique marked item. As a consequence, there exists an oracle relative 
to which NP <f_ DQP; that is, HP-complete problems are not efficiently solvable by sampling 
histories. 

Proof. Let N = 2 n and / : {0, l} n — > {0,1}. Given a sequence of quantum 
circuits U = {U\, . . . , Ut) that query /, and assuming that x G {0, l} n is the unique string 
such that f (x) = 1, let \ipt (%)) be the quantum state after Ut is applied but before Ut+i 
is. Then the "hybrid argument" of Bennett et al. |5J implies that, by simply changing the 
location of the marked item from x to x* , we can ensure that 

where || || represents trace distance, and Qt is the total number of queries made to / by 
Ui, . . . , Ut- Therefore O (Q 2 /^) provides an upper bound on the probability of noticing 
the x — ► x* change by monitoring vt, the value of the hidden variable after Ut is applied. So 
by the union bound, the probability of noticing the change by monitoring the entire history 
(v± , . . . , vt) is at most of order 

E Qt ^ TQ T 
N ~ N 

t=i 

This cannot be (1) unless T = 17 (iV 1 / 3 ) or Qt = Q (iV 1 / 3 ), either of which implies an 
£1 (iV 1//3 ) lower bound on the total number of steps. 

To obtain an oracle relative to which NP <f_ DQP, we can now use a standard and 
well-known "diagonalization method" due to Baker, Gill, and Solovay |1J to construct an 
infinite sequence of exponentially hard search problems, such that any DQP machine fails 
on at least one of the problems, whereas there exists an NP machine that succeeds on all of 
them. Details are omitted. ■ 

16.11 Conclusions and Open Problems 

The idea that certain observables in quantum mechanics might have trajectories governed 
by dynamical laws has reappeared many times: in Schrodinger's 1931 stochastic approach 

8 One should not make too much of this fact; one way to interpret it is simply that the "number of queries" 
should be redefined as Q + T rather than Q. 
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|213| . Bohmian mechanics |59j . modal interpretations |39l 1961 I97j . and elsewhere. Yet 
because all of these proposals yield the same predictions for single-time probabilities, if we 
are to decide between them it must be on the basis of internal mathematical considerations. 
One message of this chapter has been that such considerations can actually get us quite far. 

To focus attention on the core issues, I restricted attention to the simplest possible 
setting: discrete time, a finite-dimensional Hilbert space, and a single orthogonal basis. 
Within this setting, I proposed what seem like reasonable axioms that any hidden-variable 
theory should satisfy: for example, indifference to the identity operation, robustness to 
small perturbations, and independence of the temporal order of spacelike-separated events. 
I then showed that not all of these axioms can be satisfied simultaneously. But perhaps more 
surprisingly, I also showed that certain subsets of axioms can be satisfied for quite nontrivial 
reasons. In showing that the indifference and robustness axioms can be simultaneously 
satisfied, Section T16.6I revealed an unexpected connection between unitary matrices and the 
classical theory of network flows. 

As mentioned previously, an important open problem is to show that the Schrodinger 
theory satisfies robustness. Currently, I can only show that the matrix Pgj- (p, U) is robust 
to exponentially small perturbations, not polynomially small ones. The problem is that if 
any row or column sum in the U® matrix is extremely small, then the (r, c)-scaling process 
will magnify tiny errors in the entries. Intuitively, though, this effect should be washed out 
by later scaling steps. 

A second open problem is whether there exists a theory that satisfies indifference, 
as well as commutativity for all separable mixed states (not just separable pure states). 
A third problem is to investigate other notions of robustness — for example, robustness to 
small multiplicative rather than additive errors. 

On the complexity side, perhaps the most interesting problem left open by this 
chapter is the computational complexity of simulating Bohmian mechanics. I strongly 
conjecture that this problem, like the hidden-variable problems we have seen, is strictly 
harder than simulating an ordinary quantum computer. The trouble is that Bohmian 
mechanics does not quite fit in the framework of this chapter: as discussed in Section 
116.3.21 we cannot have deterministic hidden-variable trajectories for discrete degrees of 
freedom such as qubits. Even worse, Bohmian mechanics violates the continuous analogue 
of the indifference axiom. On the other hand, this means that by trying to implement 
(say) the juggle subroutine with Bohmian trajectories, one might learn not only about 
Bohmian mechanics and its relation to quantum computation, but also about how essential 
the indifference axiom really is for our implementation. 

Another key open problem is to show better upper bounds on DQP. Recall that 
I was only able to show DQP C EXP, by giving a classical exponential-time algorithm to 
simulate the flow theory J-T. Can we improve this to (say) DQP C PS PACE? Clearly 
it would suffice to give a PS PACE algorithm that computes the transition probabilities for 
some theory T satisfying the indifference and robustness axioms. On the other hand, this 
might not be necessary — that is, there might be an indirect simulation method that does 
not work by computing (or even sampling from) the distribution over histories. It would 
also be nice to pin down the complexities of simulating specific hidden-variable theories, 
such as J-T and ST. 
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Chapter 17 

Summary of Part HI 



Recall our hypothetical visitor from Conway's Game of Life, on a complexity safari 
of the physical universe. Based on the results in Part [nj the following are some intuitions 
about efficient computation that I would advise our visitor to toss in the garbage. 

• We can be fairly confident that the class of functions efficiently computable in the 
physical world coincides with P (or BPP, which is presumably equal). 

• Although there are models of efficient computation more powerful than P, involving 
the manipulation of arbitrary real or complex numbers, these models will inevitably 
blow up small errors in the numbers nonlinearly, and must be therefore be unphysical. 

• A robot, moving at unit speed, would need order n steps to search a spatial region of 
size n for a marked item. 

• The ability to see one's entire "history" in a single time step cannot yield any complexity- 
theoretic advantage, since one could always just record the history as one went along, 
at the cost of a polynomial increase in memory. 

On the other hand, just as in Part we have seen that many of the intuitions in 
our visitor's suitcase are good to go. For example: 

• If the items in a database have distance d from one another, then the time needed to 
search the database is about d times what it would be if the items had unit distance 
from one another. 

• It is possible to choose a probability distribution over histories, in such a way that state 
i is never followed in a history by state j if the corresponding transition probability 
is zero, and such that a small change to the transition matrices produces only a small 
change in the history distribution. 

• If, at the moment of your death, your entire life's history flashed before you in an 
instant, then you could probably still not solve NP-complete problems in polynomial 
time. 
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